Mitigating Against the Risk of Intellectual Property Theft in China

By Joan Hodge

Earlier this month the U.S. and U.K. national law enforcement chiefs came together in their first joint public appearance to address the international business community on the threats concerning intellectual property (IP) theft posed by China.

In his remarks, FBI Director Christopher Wray warned of numerous tactics used by Chinese state officials to spy on, control, and ultimately co-opt Western technologies. With both the U.K. and U.S. conducting more investigations into Chinses malign business activity than ever, no one industry or business model seems immune. Wray stated that, “The Chinese government is set on stealing your technology – whatever it is that makes your industry tick – and using it to undercut your business and dominate your market. And they’re set on using every tool at their disposal to do it.”

The Chinese government has long posed a threat to the intellectual property of Western businesses operating within China as well as those with valuable technology outside its borders. The issue took center stage as former President Trump’s trade war with China commenced in 2018. In November of that year, the Justice Department announced “The China Initiative,” a program whose purpose was to protect U.S. laboratories and businesses from economic espionage and IP theft. In February of this year under the Biden administration, the Department rebranded the program as “A Strategy for Countering Nation-State Threats,” and now includes Russia, North Korea, and Iran, all of which engage in similar behavior. Though other authoritarian countries, whose oppression of free expression in turn oppresses critical thinking and innovation among their people, engage in IP theft, China remains the most significant state actor in this regard.

Finding a Way In

In his speech, Director Wray cited four main avenues the Chinese government uses to steal Western technology. So, what are these tactics and how can businesses mitigate against the impact of their potential use?

First, and probably the least surprising, is the massive cyber hacking operation China runs, which according to Director Wray “is bigger than that of every other major country combined.” Not only is China’s state-sponsored cybercrime operation colossal in size, but it is “also effective” said Wray, citing the 2021 China Ministry of State Security (MSS) unprecedented exploitation of vulnerabilities in Microsoft’s Exchange Server. That incident, in which three MSS officers and one contracted hacker were indicted, prompted U.S. Secretary of State Blinken’s assessment that, “The PRC’s Ministry of State Security has fostered an ecosystem of criminal contract hackers who carry out both state-sponsored activities and cybercrime for their own financial gain.”

The MSS also uses classic intelligence tradecraft to recruit assets to assist in intelligence gathering operations, “spotting and assessing sources to recruit, providing cover and communications, and helping steal secrets in other ways,” said Wray, adding that everyone “from Fortune 100s to start-ups” is at risk. One known tactic used by China is recruitment via LinkedIn, where fake profiles are used by intelligence officers to message and befriend businesses executives and former diplomats. China has also been known to target Chinese academics and scientists working in the U.S. and other technologically advanced countries.

Director Wray also described various corporate structures and relationships the Chinese government uses to partner with Western businesses. Doing business with Chinese corporations means doing business with the government Wray described, as they “are required to host a Communist Party cell to keep them in line.” Furthermore, these business partners, who are forced upon most foreign companies, often turn into competitors after acquiring the IP. China also uses a tactic most commonly employed by money launders, that of complex shell corporation structures, which attempt to hide the ultimate beneficiary of the business. The Chinese government uses their shell corporations to bypass screening programs like the Committee on Foreign Investment in the United States (CFIUS). This allows the Chinese government not only to steal trade secrets from their so-called partners, but also gain a high degree of influence over the targeted business.

Finally, Director Wray described a number of regulatory actions taken by China in recent years that essentially compel companies operating in China to hand over their IP and other sensitive data to the government.  The most shocking example of this may be the 2017 National Intelligence Law that allows the government to force Chinese employees in China to assist with intelligence operations. That law applies to all “organizations” in China, a term which appears to include all types of companies established in China, regardless of ownership, i.e. private and public Chinese shareholders as well as foreign shareholders.  Wray also cited the 2021 Data Security Law which “requires companies with China-based equities to report [zero-day] cyber vulnerabilities in their systems, giving Chinese authorities the opportunity to exploit those vulnerabilities before they are publicly known.” The regulatory risk landscape in China is vast. Regulations, like the 2017 Cyber Security Law, are complex and vague. The statutory ambiguity is intentional, allowing local authorities to target their enforcement operations depending on their current priorities and interests.

Lessening the Impact

Though the risk of IP theft when doing business with China is high, there are ways in which Western businesses operating in China can mitigate against the potential impact of these threats. To start, as Director Wray suggested, businesses can work and develop relationships with their respective law enforcement and national investigative bodies. Through private-public partnerships, businesses are able to stay up to date on the latest intelligence trends and maintain a direct line to relevant authorities should something nefarious take place.

It goes without saying that every business needs to invest in a robust and proactive cyber security program. Being proactive means not only running consistent scans for vulnerabilities, but also staying up to date on the latest risks posed by China and other bad actors. U.S. businesses should monitor alerts issued by the Cybersecurity and Infrastructure Security Agency like this one issued last month on “People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices,” which also contains a number of mitigation steps. In the U.K., follow the National Cyber Security Center.

Though less likely than a cyber hack, the threats posed by Chinese human intelligence collectors and their recruited assets within organizations remain credible. Similar to other forms of insider threat, the best way to mitigate against these risks is by building awareness amongst staff. Training employees on common signs of attempted of recruitment will help protect your business and intellectual property. One startup based in Utah, which uses proprietary technology to help identify Chinese malign activity regarding IP theft, has a policy requiring staff to report any attempts at recruitment.

When it comes to partnering with Chinese owned businesses, comprehensive due diligence is a must. Should due diligence investigations return a low to medium risk recommendation, it is still best to assume your partner is engaged with government officials in some capacity. According to Wray, “the Chinese government has also shut off much of the data that used to enable effective due diligence,” and every Chinese business must maintain a relationship with the Chinese Communist Party. Following an in-depth assessment, businesses can develop operating procedures designed to protect their most sensitive data when interacting with Chinese counterparts.

Investing in the Chinese market means spending a great deal of time and money to ensure compliance with the multitude of laws and regulations for foreign businesses, some of which may open doors to sensitive IP like those mentioned earlier. And while complying with such laws may ultimately reveal trade secrets to local authorities, the risk of non-compliance could result in hefty fines and a greater level of scrutiny, even for minor infractions. As with cyber hacking trends, the key here is monitoring. Maintaining awareness of which industries the regulating authorities are focusing their enforcement efforts is key. There are a number of blogs and news outlets dedicated to tracking Chinese regulatory actions. For example, the U.K. Foreign and Commonwealth Office issues quarterly China Commercial Regulatory Updates.

Another key to avoiding harassment from authorities is to maintain positive working relationships with them. Relationships are an important part of Chinese business culture. The upside to forced local partnerships, if done correctly, is the opportunity to show your business is staying out of trouble while controlling what information is handed over, as opposed to your partners or regulators hacking or otherwise enforcing their way in.

We recognize that there are many, generally lucrative, upsides to investing and operating abroad, especially in China. And while the risk of IP theft is pervasive, by staying up-to-date on the latest trends and analysis, conducting internal due diligence and risk management, and maintaining relationships with authorities both at home as well as in China, companies are more likely to be able to counter these threats while also maintaining a competitive edge.

Joan Hodge is Lexpat’s Senior Consultant for Global Risk, Programs, and Monitoring.  She was previously an intelligence analyst at another leading global risk consultancy, and has served in positions with INTERPOL’s Transnational Organized Crime Division and the U.S. State Department’s Bureau of International Narcotics and Law Enforcement Affairs.