The U.S. Must Combat CCP-Sanctioned Overseas Spying by Private Entities

After meeting with Chinese president Xi Jinping in San Francisco last week, President Biden noted: “We’re in a competitive relationship — China and the United States — but my responsibility is to make it rational and manageable so that it doesn’t result in conflict.” Biden addressed challenges facing U.S. businesses operating in China, such as “punitive actions against U.S. firms” under China’s anti-espionage laws, but avoided mentioning China’s problematic laws that increasingly affect how Chinese businesses act on U.S. soil. The omission is notable. If Biden wants to ensure that China’s actions don’t lead to conflict, the U.S. must develop a strategy to address Beijing’s announced plan to weaponize espionage by China’s global private sector.

The Chinese Communist Party (CCP) has been remarkably open about its intentions of global economic and military dominance by any means necessary. To get there, the CCP is very likely relying on China’s “national intelligence” law, which requires that all Chinese businesses and citizens operating overseas must, upon demand, gather sensitive information from host countries and provide that to the Chinese government. In other words, Beijing can activate all Chinese persons and companies abroad to spy for the state. The United States should enact multiple, intersecting countermeasures to protect its companies, citizens, and itself from such a threat.

To quote the relevant Chinese law: “All organizations and citizens shall support, assist, and cooperate with national intelligence efforts.” While the term “national intelligence” is not clearly defined, the law states elsewhere that “national intelligence” relates to conduct that endangers “the national security and interests of the People’s Republic of China.” The CCP could interpret that language to cover virtually everything. After all, China tends to construe its “national security and interests” broadly. Beijing, thus, has weaponized its entire private sector and massive expatriate community to gather critical sensitive, private, or military information from foreign governments and commercial entities without restriction. There are countless examples of Chinese espionage to date, many of which directly support CCP strategic objectives. Those Chinese entities or individuals who do not comply violate Chinese law.

It is safe to assume that Chinese companies — whether they are state-owned or not, whether their CEO is a party member or not, or whether they are in the intelligence service or not — are obligated under Chinese law to pass on any and all information they collect to the Chinese government.

The United States is cognizant of the risks posed by this law in some contexts, pushing back on Huawei 5G networks, TikTok social media, Chinese undersea cables, and Chinese cargo shipping cranes at commercial ports. But these are not the only spheres at risk from this deputized version of Chinese spying. Indeed, any Chinese company that collects information overseas is a potential target for CCP demands.

Given that, one wonders why so many Chinese companies and Chinese nationals are free to operate without restrictions — both in the U.S. and around the world — when they risk violating Chinese law by not spying.

That is not to say that there is evidence that China has routinely demanded commercial data from Chinese companies — but that lack of clarity is precisely the point. We don’t know what information the Chinese government has demanded.

Let’s unpack what that could mean. Currently, newer cars often contain self-driving or safety features (such as lane assist or blind-spot detection) utilizing sensors and software to collect and process vast amounts of data about every U.S. road, building, or military installation those cars drive past. Frequently relying upon Chinese LiDAR (Light Detection and Ranging) technology or Chinese artificial intelligence (AI) software, those products build comprehensive 3D maps of everything they see to protect drivers from potential hazards. LiDAR sensors, for instance, can capture a 360-degree view of objects that are up to 200 meters away. If the CCP demands that LiDAR and AI companies pass that information on to the government in the name of national intelligence, it would have access to troves of recent data and images of everything from military bases to nuclear power plants. We cannot know if the CCP has sought this information, but the U.S. Department of Transportation is concerned.

Lexmark and Lenovo are two of the most popular brands in the world. They are also Chinese-owned companies. Do those companies provide the CCP with consumer, government, and private-sector information scanned, written, uploaded, or printed on their devices? We don’t know. For its part, the U.S. military considers Lexmark and Lenovo “known cybersecurity risks.”

It is not only the U.S. military that should be concerned. Private U.S. companies make particularly compelling intelligence-gathering targets. Given China’s history of sanctioning the theft of intellectual property, spying on U.S. companies, and coercing technology transfers, it should be obvious that this law could be used against commercial competitors to Chinese companies. If China considers that stealing trade secrets and blueprints would advance the “interests of the People’s Republic of China,” the national-intelligence law provides the legal framework to compel Chinese entities and citizens to become corporate spies.

While China’s citizen-spies could be present anywhere, Chinese companies that passively collect massive amounts of data present the greatest risk to U.S. national security. Chinese companies that make rubber washers, light bulbs, or batteries are unlikely to be used to collect sensitive data. However, the number of Chinese companies that collect information that the CCP could find relevant to “national intelligence” is enormous. In the absence of evidence to the contrary, we must assume that any Chinese company could be spying in support of Chinese interests.

What are the policy implications of that assumption?

First, let’s be clear that most Chinese companies and citizens operating overseas are honest and hard-working capitalists who do not desire to pass private commercial data on to the CCP. The problem is that their “desire” is irrelevant. Such companies are legally required to comply with any intelligence-gathering demand, no matter how distasteful or how many commercial norms it oversteps.

Therefore, it should be incumbent upon any Chinese entity to disclose to the U.S. government (1) the types of information it collects, (2) how that information is stored and accessed, and (3) what steps the entity has taken to prevent that information from being made available to the Chinese government.

We propose a licensing system that creates a rebuttable presumption — similar to the one used in the Uyghur Forced Labor Prevention Act — which would assume that the Chinese government can access any information collected by Chinese entities. The burden would, thereafter, shift to the Chinese entity to demonstrate the ways it is keeping American information safe, secure, and out of the hands of the CCP. If the company can demonstrate that it (1) collects no private or sensitive information or (2) gathers information but safeguards it in ways that are immune to Chinese-government demands (such as real-time data purges, third-party data collection, or permanently encrypted data), then it should be allowed to operate within the U.S. like any other commercial entity.

Failing that, Chinese companies should be barred from collecting or using any American data. If that is not feasible, the company should not be permitted to operate on U.S. soil or engage with U.S. entities until it is compliant with legal and regulatory requirements.

When Chinese leaders tell us they are going to do something, we should listen to them. The CCP is willing to deputize private companies to advance its intelligence-gathering goals. Pity on us if we don’t take it seriously.

Elaine Dezenski is senior director and head of the Center on Economic and Financial Power at the Foundation for Defense of Democracies and former acting and deputy assistant secretary for policy at the Department of Homeland Security. David Rader is a senior fellow at the Foundation for Defense of Democracies and former deputy director of the Global Investment & Economic Security Directorate at the Department of Defense.