Published by The Lawfare Institute
in Cooperation With
Pence Calls Out Chinese Intellectual Property Theft
In a major speech on U.S.-China relations on Oct. 4, Vice President Mike Pence accused the Chinese government of “employing a whole-of-government approach ... to advance its influence and benefit its interests in the United States.” As part of this approach, Pence claimed, China had “directed its bureaucrats and businesses to obtain American intellectual property ... by any means necessary.” The Trump administration, he warned, would “not stand down” in the face of Chinese aggression and had “adopted a new approach to China” to counter Beijing’s efforts.
The Trump administration has previously lobbed similar accusations at China, but the vigor and sweeping range of the vice president’s speech indicated a newly hard-nosed posture towards Chinese leadership. Indeed, in the days after Pence’s speech, U.S. agencies quickly undertook a flurry of activities to counteract Chinese influence and economic espionage. On Oct. 10, the Justice Department unsealed an indictment against Chinese Ministry of State Security (MSS) officer Xu Yanjun following his arrest and extradition from Belgium earlier this year. The indictment charges Xu with stealing trade secrets from GE Aviation and other American aerospace companies in violation of the Economic Espionage Act of 1996. Xu has pleaded not guilty to charges including conspiracy to commit economic espionage and conspiracy to commit trade secret theft. Xu, a deputy division director with the MSS’s Jiangsu State Security Department, is the first Chinese intelligence officer to be extradited for prosecution in the United States. The Justice Department has targeted Chinese officials in the past, most notably through the indictment of five People’s Liberation Army officers for cyber espionage in 2015. Those indictments remained largely symbolic, however, as long as their targets remained ensconced in China. Xu’s indictment follows last month’s arrest of Chinese national Ji Chaoqun, who is accused of sending information to a deputy division director of the Jiangsu State Security Department; reports indicate that the two cases are linked.
The same week, the Treasury Department announced interim regulations for a pilot program that would increase CFIUS oversight to review “certain non-controlling investments in U.S. businesses involved in critical technologies” across 27 industries. That pilot program, which will begin on Nov. 10, makes use of CFIUS’s expanded scope under the Foreign Investment Risk Review Modernization Act (FIRRMA) passed into law in August 2018. While the pilot allows the U.S. government to review investments by foreign nationals from any country, its impetus appears to stem from the large volume of Chinese investments in strategic technology sectors. The Trump administration has also curbed exports of civilian nuclear technology to China, citing concerns that China was employing the technology for military purposes such as nuclear-powered submarines or floating power reactors that could be deployed to support military installations in the South China Sea.
Bloomberg Report on Chinese Spy Chips Meets Fierce Backlash
Vice President Pence’s claims were bolstered by controversial reporting that Chinese military intelligence officials had conducted a long-running project to plant compromising microchips in server motherboards used by major American tech companies and U.S. government agencies. Those accounts, published by Bloomberg in a bombshell article on the same day as Pence’s speech, describe a covert plot by agents from the People’s Liberation Army (PLA) to implant microchips in servers that San Jose hardware giant Super Micro Computer, more commonly known as SuperMicro, has produced for Elemental Technologies, a video-streaming service that has since been absorbed by Amazon Web Services. The PLA agents, according to the article, targeted upstream Chinese manufacturers contracted by SuperMicro’s suppliers, bribing or threatening the manufacturers in order to gain access to the newly manufactured motherboards. From there, the motherboards were integrated into Elemental servers and shipped to clients including Apple and Amazon. The Defense Department and CIA have also purchased servers from Elemental, but the article did not suggest that their servers had been compromised and reported that the FBI has been conducting its own investigation of the matter since at least 2015. Bloomberg’s sources stated that almost 30 companies had been found to be affected by the microchip.
But the companies identified by the article—Apple, Amazon, and SuperMicro—have categorically denied the existence of any hardware breach. Government agencies have also weighed in against the reporting. FBI Director Christopher Wray, when asked about the Bloomberg report during congressional testimony on Oct. 10, refused to acknowledge or refute the existence of an FBI investigation into the matter, but warned senators to “be careful what you read.” Senior NSA cyber official Rob Joyce invited anyone with knowledge of such an issue to come forward to federal authorities, saying the agency has not been able to corroborate the report. The Department of Homeland Security issued a statement that it had “no reason to doubt the statements from the companies named in the story.” The Chinese government has also denied the report, as has GCHQ, Britain’s signals-intelligence agency. And Joe Fitzpatrick, a security expert named as a source in the story, cast doubt on the final reporting in a podcast interview on Oct. 9.
In the face of the backlash, Bloomberg is sticking by its story, at least for now. On Oct. 9, it reported that an additional, unnamed U.S. telecom had discovered similar hardware intrusions on SuperMicro hardware in August. The episode speaks to deep anxieties about Chinese involvement in technology supply chains. Federal lawmakers and agencies have long cautioned that the Chinese government could exploit its dominance in hardware manufacturing to install backdoors in American information infrastructure. Those concerns have persisted; a 146-page report published by the Department of Defense earlier this month highlighted the threats that Chinese supply chains pose to the defense industrial base. These concerns have often found their way into law and policy. The 2019 National Defense Authorization Act, signed into law by President Trump in August, prohibits U.S. agencies from purchasing essential equipment from telecom giants Huawei and ZTE. Last week, Sens. Marco Rubio and Mark Warner sent a letter encouraging Canadian Prime Minister Justin Trudeau to “reconsider Huawei’s inclusion in any aspect of Canada’s 5G development.” But suspicions about Chinese hardware backdoors have generally focused on companies, like Huawei and PC manufacturer Lenovo, that are believed to have close connections to the Chinese government. Covert Chinese attacks against hardware contracted by American companies would extend the boundaries of U.S. cybersecurity concerns and encourage the type of more aggressive approach to China suggested by Vice President Pence’s speech.
In Other News
- In addition to economic threats, Vice President Pence’s speech on Oct. 4 also repeated President Trump’s earlier assertion that the Chinese government was meddling in the 2018 midterm elections. Cybersecurity firms, however, have been unable to find direct evidence of Chinese hacking aimed specifically at election interference. Senate Democrats have requested that the director of national intelligence provide evidence to support the administration’s claims.
- The American and Chinese governments are planning a meeting between President Trump and President Xi at the G20 Summit in Buenos Aires in November, although economic adviser Larry Kudlow has warned that the meeting is not yet set in stone. Treasury Secretary Steve Mnuchin warned on Oct. 12 that future trade talks would have to include discussions of currency manipulation, which has become an increasing worry among American officials, although the Treasury Department’s staff reportedly advised Mnuchin last week that China is not manipulating the renminbi.
- Judge Ed Kinkeade of the Southern District of Texas has extended the term of a court-appointed compliance monitor after determining that ZTE violated probation. The monitor, originally scheduled to expire in 2020, will now last until 2022. Probation was originally imposed after ZTE pled guilty in March 2017 to evading U.S. sanctions against Iran. In April of this year, the Commerce Department instituted a denial order against ZTE after an investigation revealed that ZTE had made false statements to the department and had rewarded, rather than punished, employees responsible for sanctions violations. After President Trump interceded, that denial order was replaced by a $1 billion penalty and severe compliance measures. Judge Kinkeade’s extension of the court-ordered compliance monitor punishes the same conduct. Kinkeade also increased the monitor’s power of investigation, bringing its authority in line with that of the compliance team appointed under the Commerce Department agreement earlier this year.
- Google CEO Sundar Pichai stated at Wired’s 25th anniversary summit that Google is still considering the possibility of launching a censored search engine in China, as it is “important for [Google] to explore” the Chinese market given its size and commercial potential. Pichai also claimed that Chinese government censors would block less than 1 percent of users’ searches. In his Oct. 4 speech, Vice President Pence called on Google to “immediately end development” of a censored engine that would help “strengthen Communist Party censorship and compromise the privacy of Chinese customers.”
- Apple CEO Tim Cook visited China last week on a trip characterized by the Washington Post as a “one-man charm offensive to promote Apple products.” His visit came amid U.S.-China trade tensions and the projected deterioration of Apple’s earnings in China this year. Cook also met with top provincial officials in Shanghai to discuss future Apple-funded development in the city. Earlier this month after Facebook revealed a massive security breach, Cook reaffirmed Apple’s stance on protecting user privacy, even under China’s restrictive regulations.
Commentary & Analysis
Elsewhere on Lawfare, Nicholas Weaver provides technical and logistics context to the SuperMicro attack. Jim Baker has published the third in a series of articles on how artificial intelligence will impact counterintelligence, focusing on the application of AI to data collected from citizens’ communications. Steve Stransky examines how the Trump administration’s recently released National Cyber Strategy aims to reform the country’s computer crime and surveillance statutes, and Bobby Chesney highlights how challenges to those surveillance statutes in the United States might be informed by the European Court of Human Rights’ recent decision in Big Brother Watch and Others v. The United Kingdom. In this week’s Cyberlaw Podcast, Stewart Baker discusses Bloomberg’s hardware hacking story (at 1:00), the Treasury Department’s new CFIUS regulations (at 7:25), and the extradition of Xu Yanjun (at 12:15). Last week’s episode addressed the SuperMicro hack (at 1:10) and the extension of ZTE’s monitor (at 8:20).
At CSIS, Samm Sacks describes her main takeaways on China’s evolving data protection regime after a summit at Alibaba’s Data Security Institute. Turning to the Chinese domestic economy, Dan Rosen and Logan Wright analyze the factors enabling the Chinese financial system’s resilience amid massive credit growth in a new CSIS report. Douglas Paal of the Carnegie Endowment for International Peace explores how Washington’s new generation of leaders—who came of age accustomed to a strong and assertive China—are changing the bilateral relationship. Meanwhile, his colleague Philippe Le Corre looks to Europe and the spread of Chinese influence including through investments in digital and information technology. Finally, at Brookings, Ryan Hass considers how Pence’s speech played with different audiences, while Joseph Parilla and Max Bouchet identify the U.S. cities hardest hit by retaliatory tariffs.
Graham Allison explains in the Financial Times that the Trump administration has “a serious emerging strategy to confront China” as part of a new Cold War, but may lack the necessary means and ends. This new strategy has included accusations of Chinese election interference. In the New York Times, Adam Segal argues that while the Chinese government has not hacked foreign elections, it has the tools and playbook to do so. In Foreign Policy, Matt Stoller argues that the Chinese government has exploited Washington’s hands-off approach to corporate regulation and technology policy to advance its own interests. Nathaniel Taplin takes stock of the trade war’s continued impact on the Chinese economy for the Wall Street Journal.