Intellectual property theft in China used to be symbolized by stores in Chinese malls across the country filled floor to ceiling with pirated DVDs of Hollywood blockbuster movies. Now a better symbol might be a Chinese tech startup. American officials estimate that intellectual property (IP) theft including counterfeit goods, pirated media and stolen trade secrets costs the U.S. economy between $225 and $600 billion every year. One official from the Office of the Director for National Intelligence indicated that Chinese cyber theft of IP alone costs the U.S. economy up to $400 billion every year. For high tech companies, where IP often forms the core of their business, IP theft can be particularly damaging. Luckily there are some practical ways businesses can reduce the risk of IP theft.
From Copycat to Cyberthief
The Chinese government has used IP theft to advance its strategic goals for at least the past 30 years. Chief among these goals is national economic advancement. As China prioritized manufacturing to boost economic growth at home during the Reform and Opening Up period beginning in the 1980s, the CCP used of its intelligence agencies to recruit employees at target companies to conduct industrial espionage. Soon after, Chinese factories began producing counterfeit goods or cheap knock offs based on stolen designs, creating their profit at the expense of the designer’s market share. The Chinese have also used IP theft as a way to acquire defense or national security-related technological information, including nuclear weapon technology.
While the strategic goals remain the same, the rise of the information technology industry changed the means of collection and the targets for Chinese state actors. China now uses more technical and cyber methods to substantially increase the volume of stolen trade secrets. China also pursues more high tech trade secrets as part of a national shift away from manufacturing and towards an innovation-driven development model.
The sheer volume of stolen IP spurred U.S. government action to protect American companies. Cooperation between the Chinese and American governments peaked in 2015 with a mutual agreement prohibiting the use of cyberattacks to steal IP. After three years, most analysts agree that the number of detected cyberattacks emanating from China looking for IP has decreased, but some caution that attacks could return or methods may simply have changed because of China’s enduring interest in stealing IP to boost its economy.
China appears to be particularly targeting semiconductors and Artificial Intelligence (AI) technologies right now. One piece of evidence supporting this is the way these technologies are prioritized in their national planning documents, such as the Made in China 2025 plan emphasizing home-grown tech manufacturing, and the announcement that China aims to be the lead country for AI innovation by 2030. The interest in these technologies can also be inferred from the high number of FBI investigations related to semiconductor IP theft, like the December 2017 indictment of four executives from Applied Materials in California, and Chinese venture capital firms’ interest in investing in AI startups in Silicon Valley.
Spies, Hackers and… Laws?
The methods that China uses to steal trade secrets range from traditional human recruitment to newer technical methods using cyber intrusions. China has been using state resources to recruit foreigners or Chinese nationals working abroad at target companies since at least the 1980s. Recruiters usually approach individuals to blackmail or bribe them or choose disgruntled employees, such as an individual who downloaded proprietary information from his video game company after he learned he was being fired. He was later indicted by the FBI for trying to use that IP to secure a job in China in 2015.
Recruiting informants can be a long and costly process, so cyberattacks took over as the predominant method for IP theft in the early 2000s. State-sponsored or state-sanctioned hacking groups in China have a range of sophisticated tools at their disposal to access company networks, including spear phishing, malware, and exploiting vulnerabilities in cloud storage systems. It is harder to gauge how prevalent cyber IP theft campaigns are because most companies impacted by these campaigns choose not to disclose many details. Independent cyber researchers like FireEye note that despite the 2015 agreement between Obama and Xi, firms in the U.S. continue to be targeted by Chinese hacking groups. Cyberattacks on firms’ networks are particularly common during the due diligence period of merger and acquisitions negotiations.
Recently, China has used regulatory and legislative tools to acquire foreign firms’ IP through legal technology transfer. The most notorious new legislation is China’s 2016 cybersecurity law, which took effect in June 2017. It bars majority foreign-owned businesses from investing or operating in some sensitive sectors, including critical information communication infrastructure and the defense industry. It also makes companies in these industries subject to an opaque national security review. In practice, this can force foreign firms to partner with Chinese firms, which often require disclosure of proprietary information as part of the partnership. It also mandates that sensitive data generated by or about Chinese citizens must be housed in China, which may force foreign tech firms using cloud services to set up a physical presence in China, also making them subject to disclosure of proprietary information. These IP disclosure requirements often accompany Chinese investment in American firms, casting doubt on whether Chinese investments in Silicon Valley tech startups are looking for high ROI or trade secrets.
How Businesses Can Protect Their IP
While businesses should not assume that every Chinese actor is out to steal intellectual property, they can take some common-sense measures to make it harder for those who are interested in stealing trade secrets. A business’ best defense against human recruitment techniques is to know their staff. They should conduct background investigations on employees with access to sensitive information and invest in internal network monitoring cyber security measures that can help detect insider threats. To protect against cyberattacks, companies should prioritize cybersecurity and stay up to date on the latest threats. Employees should practice good device security if they visit China for business or vacation and consider getting “burner” cellphones or laptops that are intended only for use in China. Companies must be particularly vigilant for Chinese cyberattacks looking for trade secrets during any due diligence process related to investments or mergers and acquisitions discussions.
Addressing the legislative and regulatory tools that may require technology transfer is a little trickier. The key is managing a company’s risk against the potential reward, whether considering a partnership with a Chinese firm or opening operations in Mainland China. Be aware of laws relating to data and cybersecurity, and know that they can change arbitrarily. If a business is considering taking investments from Chinese firms, they should also stay abreast of reforms to the Committee on Foreign Investments in the United States (CFIUS), a U.S. government body that reviews foreign investments. CFIUS can derail a deal if it believes it could adversely impact U.S. national security due to technology transfer, and Chinese investments in tech in particular have attracted attention within the last year. Chinese investments and market expansions can be a boon for a business, but without understanding the vulnerabilities it may present to proprietary information it could also be the end of a business.