Good afternoon, everyone, and thanks for traveling so far in order to be part of this important conference.
This Multilateral Action on Sensitive Technologies (MAST) process is still quite a new one, but it is very promising – a valuable opportunity for likeminded countries to compare experiences and improve coordination on common technology-transfer threats intimately linked to our common security in a geopolitically challenging world. I have spoken before about the importance of cultivating “coalitions of caution” in high-technology engagement with the People’s Republic of China (PRC) – and indeed in any engagement with our strategic competitors – and MAST is a good example of one of the ways in which this can be done. All your governments should be congratulated for coming together for this second annual plenary conference as a part of the ongoing MAST process. I hope you have found it as interesting and informative as we have.
I. The Huawei Challenge
As my contribution to this event, I would like to say a few words about the Chinese technology giant Huawei, which has been in the news quite a bit recently, since it was placed on the U.S. Department of Commerce’s “Entity List,” which imposes restrictions upon U.S. commercial engagement with specified persons and entities. Huawei was nominated to be put on the Entity List by my bureau early this year, after it was indicted by the U.S. Justice Department in January 2019 for theft of trade secrets, attempted theft of trade secrets, conspiracy wire fraud, and obstruction of justice, as well as for bank fraud and conspiracy to commit bank fraud, wire fraud and conspiracy to commit wire fraud, conspiracy to commit money laundering, and violations of the International Emergency Economic Powers Act (IEEPA) in illegally assisting Iran with sanctions evasion. The first tranche of the Huawei parent and its affiliates (69 entities) were duly placed on the Entity List in May 2019.
A company may be placed on the Entity List when there is “reasonable cause to believe … that the entity has been involved, is involved, or poses a significant risk of being or becoming involved in activities that are contrary to the national security or foreign policy interests of the United States,” and indeed the U.S. Government did put Huawei on the Entity List for sound national security and foreign policy reasons. Nevertheless, there seems to have been some confusion on the part of those who imagine that our problems with that company are at root only economic or commercial, stemming merely from more general U.S. trade and tariff disputes with China. This confusion is compounded by the Chinese and Huawei propaganda machine as well. But this is far from being the case: unfortunately, Huawei also presents deep national security and foreign policy problems.
Since we are here at this important MAST Conference to share perspectives on how to meet national security and foreign policy challenges related to potential transfers of sensitive technology, therefore, I am pleased to be able to have this opportunity to offer some more insight into the national security and foreign policy reasoning behind Huawei’s listing. There will of course still be some limits upon what I can recount to you here, but I will offer you today as much information as I can.
The facts do not paint a pretty picture. Nevertheless, I hope I will be able to convey to you the depth and seriousness of the Huawei problem.
II. Tools of Communist Party Influence and Control, at Home and Abroad
The first thing to remember is that the challenge presented by Chinese technology giants such as Huawei is not, first and foremost, a specifically “technical” problem, though it naturally has important technical aspects. At its core, it is a political and a geopolitical challenge.
Though they may have formally private ownership and operate in the national and in the international marketplace, global Chinese firms – including Huawei – are in key ways not genuinely private companies and do not make decisions entirely for economic and commercial reasons. Whether de facto or de jure, such giants can in some important respects or for some purposes act as arms of the state – or, more precisely, the Chinese Communist Party, to which the Chinese state apparatus is itself subordinate.
Irrespective of their ostensibly private, commercial status, all such firms are subject to a deep and pervasive system of Chinese Communist Party control. This control is not limited merely to the possible establishment of Chinese Communist Party cells within a company’s workforce and management structure – a development employed for many years by the Chinese Communist Party in China, but which has been expanding under Xi Jinping and is even being extended to foreign-owned companies operating in China – but also includes a formidable arsenal of state- and Party-manipulable pressures and incentives. There is also a deep bench of expansively-worded Chinese laws that require cooperation with state officials in virtually all matters, a heavy-handed security apparatus in no way shy about using such coercive tools, and a Party-run judicial system that precludes effective legal recourse to anyone with whom the Chinese Communist Party disagrees.
I will address this issue more in a moment, but suffice it to say that on balance the Chinese technology giants are not purely private actors, but instead function as at least de facto tools of the Chinese Communist Party when it matters most. The Chinese Communist Party uses them as instruments not only for making money but also for pursuing the Party-State’s agenda and fulfilling its strategic objectives. In their international engagements, moreover, projects undertaken by firms such as Huawei are subsidized by the government with massive lines of credit and long-duration loans with generous grace periods from state-owned banks in order to undercut competition and penetrate foreign markets more deeply. Clearly, more than commercial and economic interests are involved, and these firms are – among other things, to be sure, but for present purposes quite crucially – instruments of China’s geopolitical strategy.
It is important to remember all this, because when push comes to shove with the nominally private Chinese technology firms – that is, when Chinese Communist Party authorities really want them to do something – they too will almost certainly act, and must therefore be treated, as the functional equivalent of state-owned enterprises. This is critical, inasmuch as their non-separateness from the Chinese Communist Party’s authoritarian governance system makes these companies enablers for and instrumentalities of Party power.
It is not surprising, then, that the Chinese technology giants have become deeply enmeshed in Beijing’s system of oppression at home and its increasingly assertive strategic ambitions globally. Their role on behalf of the Party apparatus begins within China itself, where technology firms have helped the Chinese Communist Party construct an entirely new, modern model of authoritarian police state.
Back in the days of Mao Zedong, the iron grip of pervasive Party social and political control in China had to be maintained with the help of sons who would rat out their fathers for ideological nonconformity, students who would denounce their teachers for political crimes, neighborhood mutual-vigilance committees, public self-criticism sessions, mass imprisonment, and secret executions for which families would be sent a small bill to cover the cost of the bullet. By contrast, the Chinese regime’s social control techniques in this era of Big Data are growing vastly more sophisticated and in a sense even more deeply pervasive than ever – with a goal to construct an almost literally omnipresent surveillance state with sweeping opportunities for forms of electronically-facilitated coercion that are both exquisitely tailored to individual citizens and massively scaled for a population of more than a billion people. This is the frightening information-managed dystopia described by Samantha Hoffman as “Techno-Enhanced Authoritarianism.”
China’s technology “national champions” are the standard-bearers for the surveillance and information-facilitated coercive technologies that are making this oppressive police state possible, and jurisdictions such as the oxymoronically named Xinjiang Uighur Autonomous Region are where the pilot programs and proof-of-concept studies for these technologies of repression are being developed and carried out. These technologies are vital to China’s repressive campaign against Uighurs, ethnic Kazakhs, Kyrgyz, and other members of Muslim minority groups, resulting in the detention of at least one million individuals in internment camps since April 2017. These companies have helped the Chinese Party-State develop these tools, they are working with Chinese Communist Party authorities to test these grim methods on China’s own population, and through their foreign engagements they are making the export of such techniques into a key component of how Beijing is promoting and expanding its own repressive governance model worldwide.
A few years ago, under Hu Jintao, Chinese officials began to express increasing interest in promoting their distinctively oppressive “operating system” as a mode of governance to compete with, or even displace, Western-style liberal democracy around the globe. Under Hu, this was spoken of as China’s dream of a “harmonious world,” modeled generally on the “harmonious society” the Chinese Communist Party claimed to have created at home. (In this context, of course, invocations of “harmony” signal a commitment to suppressing disharmony — that is, disagreement with China and its ruling Party.) These days, Xi Jinping is more likely to speak — as he did at the 19th Party Congress — of how China offers a new model of modernization for the world: the “China Dream” or the “China Model” of authoritarian, state-managed capitalism. Though the terms differ, however, the basic idea is the same: China seeks to shape the world consistent with its authoritarian model – gaining veto authority over other nations’ economic, diplomatic, and security decisions.
Significantly, the modern “China Model” is built upon a foundation of technology-facilitated surveillance and social control. These techniques for ruling China have been – and continue to be – in critical ways developed, built, and maintained on behalf of the Party-State by technology firms such as Huawei, Tencent, ZTE, Alibaba, and Baidu. As these companies export their products and services to the rest of the world, the security and human rights problems associated with this “China Model” are progressively exported with them. Already, it has been reported that Ecuador, Venezuela, and Pakistan, among others, have become customers for such firms’ repression-facilitating technologies.
So this is the geopolitical context for understanding our specific concerns about companies such as Huawei. Countries that choose Huawei technology are opening the door to Chinese access to their domestic networks and local companies, as well as potential surveillance by Chinese officials, posing a potential threat to their national security and economic well-being.
III. China’s Mil-Civ Fusion Connection
The Chinese system of “military-civil fusion” (MCF) presents an additional layer of problems. Military-civil fusion is a national-level Chinese effort led by Xi Jinping himself that seeks systematically to break down – and indeed to routinize the breaking down of – barriers between China’s civilian and military sectors. The objective of this is to help build up Chinese power and ensure, among other things, that the People’s Liberation Army (PLA) is in a position to maximize its global geopolitical power by taking advantage of the “Revolution in Military Affairs” that Chinese officials envision arising out of modern advances in areas such as nuclear technology, aerospace, aviation, semiconductors, cloud computing, robotics, and “Big Data” processing.
From a technology-transfer perspective, the implications of military-civil fusion are, unfortunately, quite clear. As I pointed out last year,
“If any given technology is in any way accessible to China … and officials there believe it can be of any use to the country’s military and national security complex as Beijing prepares itself to challenge the United States for global leadership, one can be quite sure that the technology will be made available for those purposes – pretty much no matter what.”
From the perspective of dealing with China’s technology giants, the problem is therefore even worse than simply helping to enable the Chinese Communist Party’s human rights abuses at home and the export of repressive governance abroad. Military-civil fusion also means that it is very difficult and in many cases impossible to engage with China’s high-technology sector in a way that does not entangle a foreign entity in supporting ongoing Chinese efforts to develop or otherwise acquire cutting-edge technological capacities for China’s armed forces.
The augmentation of those armed forces is itself intimately tied to the Chinese Communist Party’s strategic agenda of refashioning the current global order into a more Sinocentric form. For this reason, involvement with technology giants such as Huawei necessarily entails some degree of assistance for this agenda.
IV. Compelled to Cooperate
So that is the strategic context for our concerns, and one of the reasons why we should all worry about becoming involved with the big Chinese technology firms. On the one hand, these firms export a repressive model of governance that is contrary to our democratic values. On the other hand, these firms are used by China to advance its military modernization program, which is quite contrary to security interests we all share. It is worth stressing, moreover, the degree to which these companies’ involvement in support of the Chinese Communist Party’s repressive domestic and revisionist global agendas is not optional.
Firms such as Huawei, Tencent, ZTE, Alibaba, and Baidu have no meaningful ability to tell the Chinese Communist Party “no” if officials decide to ask for their assistance – e.g., in the form of access to foreign technologies, access to foreign networks, useful information about foreign commercial counterparties, insight into patterns of foreign commerce, or specific information about the profiles, activity, or locations of foreign users of Chinese-hosted or -facilitated social media, computer or smartphone applications, or telecommunications. Such aid may not necessarily occur routinely, but it certainly can occur – and presumably will – whenever the Party considers this useful and cares to demand it.
Huawei officials have claimed publicly that Chinese law gives the “government” no authority to do things such as compel a firm to install cyber “back doors” in software code or hardware architectures, or to install “listening devices” in equipment. But even if you put aside that company’s cute rhetorical sleight-of-hand in making this claim – since, technically speaking, the supreme authority in China is not the “government” but rather the Communist Party – this claim is simply untrue. Multiple Chinese laws, in fact, require companies to cooperate unconditionally with the Chinese Communist Party’s security apparatus in order to “guarantee state security.” The National Intelligence Law, for instance, requires all entities in China to cooperate with its intelligence services, and covers both private companies and state-owned enterprises. Analogous provisions exist in China’s National Security Law, Counter-Terrorism Law, and Cybersecurity Law.
Accordingly, if a Chinese technology giant has access to your technology, your information, or your networks and the Party comes asking, the only answer the company can give is “Yes.” This is, unfortunately, a fact of life in the high-technology police state that is the modern PRC. If the U.S. government, by contrast, asked Google or Facebook for all of their user information, we would almost certainly be challenged by lawsuits – rightfully so given our respect for privacy and rule of law.
V. Huawei in Context: The Malign Ecosystem of Chinese Tech Giants
Nor is this merely a hypothetical concern, for across the malignant ecosystem of China’s technologized authoritarianism there is a deep record of cooperation and collaboration between companies such as Huawei, ZTE, Alibaba, Tencent, and Baidu and the state security bureaucracy.
Even speaking only about Huawei, that company has partnerships with the PLA, the Ministry of State Security, and military research institutes of Chinese state-owned enterprises, and it has lied about these ties and denied knowledge that its employees support joint research projects undertaken with such organizations.
The Wujiang Public Security police, for example, have apparently already used the Huawei 820 mobile police terminal to inspect more than 450,000 Chinese citizens and more than 80,000 vehicles since 2016, and have reportedly discovered and “disposed of” more than 100 illegal “personnel” – whatever might be meant by that disturbing phrasing. Huawei’s own documents brag that it is, among other things, providing “social stability” solutions in support of local officials in Pingan.
Huawei and other Chinese tech companies such as Tencent, ZTE, Alibaba, and Baidu are thereby used to reinforce the government’s surveillance efforts.
Huawei is also an important player in Beijing’s ongoing military-civil fusion effort to make available to the Chinese military any and all technologies it wants from among those to which the country’s civilian sector may have access. According to a December 2018 article published on the National Military-Civil Fusion Public Platform administered by the Ministry of Industry and Information Technology, products and technologies from Huawei, Tencent, Alibaba, Xiaomi, Lenovo, and other companies have already been used in the research, production, and repair of weapons and equipment for the PLA. These companies have also provided support services for China’s military industry in areas related to electronics, aerospace, shipbuilding, and weapons — all of which, incidentally, are key military-civil fusion target areas when it comes to foreign technology acquisition —to enhance the core competitiveness of China’s national defense science and technology sectors.
China’s military-civil fusion highlights the troubling lack of any clear separation between government, national strategies for military modernization, and the companies that are implementing and enabling those strategies to succeed. While domestic companies in many countries – including the United States – produce military equipment for their governments, these companies are not mandated under strategic guidance from the central government to go abroad seeking the technologies they cannot themselves produce, for the purposes of diverting them to military programs. Nor are such firms required by law to do so. Indeed, this would be in stark contravention of basic end-user commitments that govern trade in strategic technologies amongst advanced countries. As befits governance in a free, democratic society, U.S. policies and implementation of legal frameworks are subject to independent oversight by our Congress as well as by our independent judiciary, which ensures a comprehensive web of protection and multiple levels of oversight.
But things are quite different in China. China’s strategy of systematic technology acquisition and diversion exemplifies the close relationship and nearly indistinguishable status – for these purposes – between its own companies and the Chinese government. This stretches across a range of issues that should be challenging for all of us here today, from companies abusing technology trade to help the government develop military equipment for the PLA under military-civil fusion, to providing the technology that enables the modern Chinese surveillance state. As a result of all this, it is, by design, increasingly difficult to separate where commerce ends and the government begins.
At least as early as 2013, it is worth noting, a Huawei affiliate was providing technology to the PLA’s General Staff Department, to the Beijing Military Region, and to the Ministry of State Security – as well as to the PLA’s 2nd Artillery Corps, which was the name then used to describe China’s strategic rocket forces. That is an alarming set of bedfellows from a U.S. national security perspective.
Huawei also has strategic cooperation relationships with a number of state-owned enterprises involved with military production, such as the China Shipbuilding Industry Corporation’s “719 Research Institution.” In fact, Chinese military-civil fusion documentation specifically calls out Huawei’s 5G work for special appreciation in support of China’s push to develop its military industrial capabilities, as well as contributions by Tencent, Alibaba, and Baidu.
It would be wonderful, of course, if all of these problems with Huawei could be avoided by some technical fix or mitigation that somehow made 5G networks purchased from that company immune to outside manipulation. Unfortunately, this does not appear to be the case, as the notable potentialities for misuse, manipulation, and abuse that are structurally built into any dealings with Huawei have proven highly resistant to technical mitigation. Recent efforts to assess Huawei issues in the United Kingdom help illustrate this point, for even Britain’s high-caliber computer experts have been largely unable, over the course of a number of years, fully to address the risks and vulnerabilities created by the Huawei coding and architectures used even in the company’s 4G network.
Extensive work by the UK’s Huawei Cyber Security Centre of Excellence has demonstrated the limitations of technical mitigation, particularly related to shortcomings in Huawei’s engineering processes and software that exposed telecommunications networks to greater risk. Remarkably, there have been consistent challenges even in doing basic vetting of Huawei computer code, since the code the company apparently provided for study and evaluation did not match the code that was found actually deployed in Huawei’s routers — suggesting that the company was either notably erratic and incompetent or that it was trying to cheat the test. Neither possibility, of course, is particularly reassuring.
Moreover, continuing problems with trying to mitigate risks and vulnerabilities in Huawei’s 4G systems are likely only to be much worse with 5G networks. The distributed nature of those networks, their transition of more “core” functions to the “edge” of the network, and the use of software-defined networking and disaggregation create huge numbers of “attack surfaces” and many opportunities for inappropriate data monitoring and the introduction of vulnerabilities. All of this makes it structurally very difficult, if not impossible, truly to isolate vulnerabilities.
All in all, therefore, it is no wonder that the NATO Cooperative Cyber Defense Centre of Excellence has warned that “the issue of Huawei 5G deployment must be assessed in the broader geopolitical context,” and that “5G rollout needs to be recognized as a strategic rather than merely a technological choice.” Specifically, it notes that “Chinese companies are not only subsidized by the Chinese government but also legally compelled to work with its intelligence services … [and that] the fear remains that adopting 5G technology from Huawei would introduce a reliance on equipment which can be controlled by the Chinese intelligence services and the military in both peacetime and crisis.”
And indeed, many countries already do see the threats presented by Huawei’s growing penetration of the global 5G market, and have taken steps to secure their networks. Australia’s guidance on 5G issues, for instance, warns against vendors that are “subject to extrajudicial directions from a foreign government.” Similarly, the European Commission’s 5G recommendations warn against “risk of influence by a third country, notably in relation to its model of governance.” Japan and Taiwan have used procurement rules to secure their future 5G infrastructure. For its part, the Czech Republic recently hosted a conference of more than 30 countries, which issued a set of principles — the Prague Proposals — that urge adoption of best practices on how best to design, construct, and administer secure 5G infrastructure.
In light of all this, it seems to some of us to be nothing less than madness to allow Huawei to worm its way into one’s next-generation telecommunications networks – just as it seems nothing less than madness to allow other Chinese technology giants to vacuum up and expatriate personal and consumer data and to control electronic commerce in free sovereign nations. Unless the Chinese Communist Party fundamentally changes its strategies for economic development, military development, and control of its civilian population to prevent any organized opposition to its continued rule, it is difficult to see how China can change its strategies for using domestic companies to advance China’s national goals. This is the fundamental insight behind the national security risks posed by companies like Huawei.
If next-generation networks such as 5G are indeed the key to tomorrow’s connectivity in an increasingly information-saturated and bandwidth-hungry world, this merely makes the challenge presented by Huawei and other Chinese giants all the more acute. The world surely cannot afford to turn such critical capabilities over to technologists who are subject to control and manipulation by the Chinese Communist Party.