The TechCrunch Global Affairs Project examines the increasingly intertwined relationship between the tech sector and global politics.
Recent prominent data breach incidents, such as hacks of the Office of Personnel Management, airline passenger lists and hotel guest data have made clear how vulnerable both public and private systems remain to espionage and cybercrime. What is less obvious is the way that a foreign adversary or competitor might target data that is less clearly relevant from a national security or espionage perspective. Today, data about public sentiment, such as the kinds of data used by advertisers to analyze consumer preferences, has become as strategically valuable as data about traditional military targets. As the definition of what is strategically valuable becomes increasingly blurred, the ability to identify and protect strategic data will be an increasingly complex and vital national security task.
This is particularly true with regards to nation-state actors like China, which seeks access to strategic data and seeks to use it to develop a toolkit against its adversaries. Last month, MI6 chief Richard Moore described the threat of China’s “data trap”: “If you allow another country to gain access to really critical data about your society,” Moore argued, “over time that will erode your sovereignty, you no longer have control over that data.” And most governments are only just beginning to grasp this threat.
In testimony to Congress last month, I argued that in order to defend democracy now, we need to better understand how particular datasets are collected and used by foreign adversaries, especially China. And if we're to properly defend strategic data (and define and prioritize just which datasets should be protected) in the future, we need to get creative about imagining how adversaries might use them.
The Chinese state’s use of technology to enhance its authoritarian control is a topic that has received considerable attention in recent years. The targeting of the Uyghur people in Xinjiang, aided by invasive and highly coercive use of surveillance technology, has been a focal point of this discussion. So, understandably, when most people think about the risks of China’s “tech authoritarianism” going global, they think about how similarly invasive surveillance can go global. But the real problem is far more significant and far less detectable because of the nature of the digital and data-driven technologies concerned.
The Chinese party-state apparatus is already using big data collection to support its efforts to shape, manage and control its global operating environment. It understands that data that seems insignificant on their own can carry enormous strategic value when aggregated. Advertisers may use data on public sentiment to sell us things we didn’t know we needed. An adversarial actor, on the other hand, might use this data to inform propaganda efforts that subvert democratic discourse on digital platforms.
The U.S. and other countries have rightly focused on the risk of malicious cyber intrusions — such as the aforementioned OPM, Marriott and United Airlines incidents that have been attributed to China-based actors — but data access needn’t be derived from a malicious intrusion or alteration in the digital supply chain. It simply requires an adversary like the Chinese state to exploit normal and legal business relationships that result in data-sharing downstream. These pathways are already developing, most visibly through mechanisms like the recently enacted Data Security Law and other state security practices in China.
Creating legal frameworks to access data is only one way China is working to ensure its access to domestic and global datasets. Another way is to own the market. In a recent report, my co-authors and I found that for the tech areas examined, China had the highest number of patent applications filed compared to other countries but didn’t have a correspondingly high impact factor.
This didn’t mean that Chinese companies were failing to lead, though. In China, the R&D incentive structure leads to researchers developing applications that have specific policy objectives — companies can own the market and refine their products later. Chinese leaders are very aware that their efforts to achieve global market dominance and set global tech standards will also facilitate access to more data overseas and their eventual integration across disparate platforms.
China is working on ways to marry otherwise unremarkable data to yield results that in aggregate can be quite revealing. After all, any data can be processed to generate value if put in the right hands. For example, in my 2019 report, “Engineering Global Consent,” I described the issue through a case study of Global Tone Communications Technology (GTCOM), a propaganda department-controlled company that provides translation services through machine translation. According to its PR, GTCOM also embeds products in the supply chains of companies like Huawei and AliCloud. But, GTCOM isn’t just providing translation services. According to a company official, the data it collects through its business activity “provide[s] technical support and assistance for state security.”
Moreover, the Chinese government, assuming better technical capabilities in the future, collects data that aren’t even apparently useful. The same technologies that contribute to everyday problem-solving and standard service provision can simultaneously enhance the Chinese party-state’s political control at home and abroad.
Responding to this growing problem will require thinking about the “tech race” with China differently. The issue is not simply about developing capabilities that compete but the ability to imagine future use cases to know what datasets are even worth protecting. States and organizations must develop ways of assessing the value of their data and the value that data may hold for potential parties who may gain access to it now or in the future.
We’ve already underestimated this threat by assuming that authoritarian regimes like China would weaken as the world became increasingly digitally interconnected. Democracies are not going to self-correct in response to the problems created by authoritarian applications of technology. We must reassess risk in a way that keeps up to date with the current threat landscape. If we fail to do so, we risk falling into China’s “data trap.”