I. Key Observations and Assessments1
Chairman Hawley, Ranking Member Whitehouse, distinguished members of the subcommittee, thank you for the opportunity to discuss a topic of critical importance to the United States. I want to begin with a few observations:
- Americans face systemic risk when using platforms operating in or owned by companies in countries with a history of cyber espionage, forced tech transfer, and a lack of rule of law. Without the same system of checks and balances against misuse we have in the United States, U.S. citizens are at high risk for data exploitation via these platforms. In addition to an established precedent of IP theft and espionage against the United States, private Chinese technology companies’ ability to resist the Chinese government is highly circumscribed at best. This is due in part to the Chinese government’s deliberate blending of the public and private digital landscape through Article Seven of China’s 2017 National Intelligence Law, where Chinese organizations and citizens are compelled to cooperate with “state intelligence work.”2 China’s much-examined 2017 Cybersecurity Law and subsequent updates also bolster this tactic.3 As public policy researchers noted last year, these laws “[entail] strict provisions requiring data to be housed inside China, as well as spot inspections and even black-box security audits.”4 If a company stores U.S. data overseas, that data may be subject to similar foreign legislation. “Country-agnostic” approaches (or, relatedly, vendor-neutral approaches to building out critical infrastructure like next generation wireless technology)—while rhetorically expedient—do not strike at the heart of these systemic issues.5
- China is exporting its values embedded in the technology itself and legal frameworks to the world. Leaked documents from TikTok indicate the company censors content on Tiananmen Square and Tibetan independence, and possibly reporting on the Hong Kong protests and the imprisonment of approximately one million Uighurs in Xinjiang detention camps.8 Not only is China exporting technology, particularly AI-related surveillance tech, but the Chinese “party-state” is also transmitting the laws and policies that govern its use. For instance, Vietnamese officials were trained in and attempted to implement a cybersecurity law modeled after China’s version of the legislation in 2018. This draft law contained strict data storage provisions (which gives access to a government “task force”), a mandate to open offices in Vietnam if requested by Vietnam’s Public Security Ministry, and overarching definitions of content.9 It is also expanding that access through its legislation: China’s full “internet security plan,” encompassing a soon-to-be-implemented 2020 Foreign Investment Law, will no longer render foreign-owned companies in China exempt from the Cybersecurity Law.10 Effectively, any data on communications networks in China will be soon be subject to the Chinese Cybersecurity Bureau’s scrutiny, without requiring an official request. This ability to access more data from more sources lays the groundwork for its exploitation.11
- Private companies play an outsized role in this environment due to their sustained and unfettered access to a high volume and variety of personal data—behavioral and biometric—with high commercial value. A May 2019 survey indicated almost half (46%) of 18-24 year olds accept tech privacy agreements without reading a single word.12 This bargain has led to private tech companies’ often overwhelming access to consumer data, such as when IBM scraped millions of photos from unwitting citizens using photo hosting site Flickr at the beginning of this year.13
- The digital environment is growing more complex. The strategic intent of bad actors is increasingly difficult to delineate, and emerging technologies are exacerbating existing threats. Emerging technologies, particularly machine learning, will give malign actors the ability to turn data into insights. In addition, the strategic intent of nation-state actors, cybercriminals, and hacktivists is increasingly intertwined, heightening the chaotic nature of the landscape. Protecting the United States against these supercharged threats from various attack vectors will only get harder.
- Solutions are overdue. If democratic societies do not establish the rules of the road for data security and privacy protections, authoritarians will do it for us. By next year alone, approximately 30 billion devices will be connected to the internet, and by 2025, almost five billion people will have access to the web.14 This amounts to a huge attack surface for cybercriminals, adversarial nation-states, and other bad actors to both wreak havoc and set their own standards.
Read the full written testimony.
- A portion of these observations are derived or pulled directly from a paper written exclusively by the witness and dated October 2019, “Reclaiming Cyber Governance as a Bulwark Against—and Not a Tool of—Illiberalism” for the U.S. government’s Congressionally-mandated Cyber Solarium Commission. Expected release is 2020. ↩
- “Beijing’s New National Intelligence Law: From Defense to Offense,” Lawfare, July 20, 2017, https://www.lawfareblog.com/beijings-new-national-intelligence-law-defense-offense; Further, the CCP’s September 2019 decision to send Chinese officials to work in 100 private companies in Hangzhou continues to muddy the waters between public and private industry. ↩
- “Translation: China's New Draft 'Data Security Management Measures,'” New America, May 31, 2019, https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-chinas-new-draft-data-security-management-measures/; https://www.zdnet.com/article/chinas-cybersecurity-law-update-lets-state-agencies-pen-test-local-companies/; and https://www.newamerica.org/cybersecurity-initiative/digichina/blog/translation-cybersecurity-law-peoples-republic-china/. ↩
- Ibid.; “Breakingviews - America can define down China’s harsh cyber rules,” Reuters, April 2, 2019, https://www.reuters.com/article/us-usa-trade-china-breakingviews/breakingviews-america-can-define-down-chinas-harsh-cyberrules-idUSKCN1RE08F; and “China’s Ambitious Rules to Secure ‘Critical Information Infrastructure,” New America, July 14, 2017, https://www.newamerica.org/cybersecurity-initiative/blog/chinas-ambitious-rules-secure-critical-information-infrastructure/. ↩
- Samantha Hoffman, "Engineering global consent: The Chinese Communist Party's data-driven power expansion," Policy brief Report No. 21/2019 (Australian Strategic Policy Institute, October 2019), https://s3-ap-southeast-2.amazonaws.com/ad-aspi/2019-10/Engineering%20global%20consent%20V2.pdf?eIvKpmwu2iVwZx4o1n8B5MAnncB75qbT. ↩
- David Carroll, "Is TikTok a Chinese Cambridge Analytica data bomb waiting to explode?" qz.com, May 7, 2019, https://qz.com/1613020/tiktok-might-be-a-chinese-cambridge-analytica-scale-privacy-threat. ↩
- Kara Frederick, "The 5G Future Is Not Just About Huawei," Foreignpolicy.com, May 3, 2019, https://foreignpolicy.com/2019/05/03/the-5g-future-is-not-just-about-huawei/. ↩
- Alex Hern, “Revealed: How TikTok censors videos that do not please Beijing,” theguardian.com, September 25, 2019, https://www.theguardian.com/technology/2019/sep/25/revealed-how-tiktok-censors-videos-that-do-not-please-beijing; and Drew Harrell and Tony Romm, “TikTok’s Beijing roots fuel censorship suspicion as it builds a huge U.S. audience,” washingtonpost.com, September 15, 2019, https://www.washingtonpost.com/technology/2019/09/15/tiktoks-beijing-roots-fuel-censorship-suspicion-it-builds-huge-us-audience/. ↩
- “Vietnam: Withdraw Problematic Cyber Security Law,” Human Rights Watch, June 7, 2018, https://www.hrw.org/news/2018/06/07/vietnam-withdraw-problematic-cyber-security-law ↩
- “China’s New Cybersecurity Program: NO Place to Hide,” China Law Blog, September 30, 2019. https://www.chinalawblog.com/2019/09/chinas-new-cybersecurity-program-no-place-to-hide.html. ↩
- This section is taken directly from the witness’s unpublished report for the U.S. Cyber Solarium Commission. ↩
- Kim Hart, "Privacy policies are read by an aging few," Axios.com, February 28, 2019, https://www.axios.com/few-people-read-privacy-policies-survey-fec3a29e-2e3a-4767-a05c-2cacdcbaecc8.html. ↩
- Olivia Solon, “Facial Recognition’s ‘dirty little secret’: Millions of online photos scraped without consent,” NBCNews.com, March, 12, 2019, https://www.nbcnews.com/tech/internet/facial-recognition-s-dirty-little-secret-millions-online-photos-scrapedn981921. ↩
- Kara Frederick, "The Rise of Municipal Ransomware," City-Journal.org, September 3, 2019, https://www.cityjournal.org/ransomware-attacks-against-cities. ↩
In addition to new material, this testimony includes original content from the witness’s previously published work and media commentary.
More from CNAS
The New War of Ideas
A new battlespace emerged in the post-9/11 counterterrorism era, encompassing the halls of U.S. technology companies and the alleys of Raqqa alike....
By Kara Frederick
The Low Road: Charting China's Digital Expansion
As Beijing tightens control of the Internet within its own borders, what consequences lie ahead for people living under other authoritarian regimes and fragile democracies?...
By Kara Frederick, Daniel Kliman & Ely Ratner
The Autocrat’s New Tool Kit
Chinese authorities are now using the tools of big data to detect departures from “normal” behavior among Muslims in the country’s Xinjiang region—and then to identify each su...
By Richard Fontaine & Kara Frederick
The 5G Future Is Not Just About Huawei
This week, representatives from the United States and more than 30 European Union and NATO countries met in Prague to hash out security principles for 5G—fifth-generation wire...
By Kara Frederick