Welcome back to our series on the ties between corporate security and China’s Five Year Plan (FYP), a document that serves as the country’s national economic and policy roadmap. Because we understand the unique roles and responsibilities of executives and corporate leadership, we’re focused on cyber risk as an enterprise risk—and help explain it without getting lost in the weeds.
To read our previous post in this series, click here.
Why Corporate Leaders Should Read China’s Five Year Plan: Part 2
By Jeff Welgan, Executive Director and Head of Executive Training Programs at CyberVista
To begin our analysis of China’s 13th Five Year Plan (FYP), we will focus on the theme of innovation, highlighting potential areas of cyber risk for U.S. companies and viewing these risks through an enterprise risk lens. Innovation represents an ever increasing risk area for companies doing business with China, particularly as China shifts efforts to govern domestic cybersecurity, starting with a new and ambiguous cybersecurity law set to take effect this Thursday, June 8th. Because the new law requires all foreign companies conducting business in China to store their data in China, this policy puts them at greater risk.
The 13th FYP reiterates China’s state-directed strategy for “indigenous innovation,” an initiative that has been strongly condemned by U.S. and foreign governments for its inherent discrimination against foreign firms in favor of Chinese products and services. To build an innovative China, the 13th FYP outlines 12 specific objectives.
China’s 13th FYP innovation targets are ambitious. Like the initiatives outlined in previous FYPs, a lack of funding – along with shoddy patents – hampers China from successfully achieving their goals. Moreover, while China is creating innovation hubs in cities such as Tianjin and Suzhou, “Only 5% of China’s incubators have the necessary funding and high-quality services to support startups.”
So, how will China meet its aggressive goals to drive new innovation when there is a significant lack of investment and a large innovation gap across its products and services? How can China drive innovation with little investment in R&D? They can rely upon a tactic they have used before: Intellectual Property theft of new and innovative products from other companies. China was once again listed at the top of the IP Country Watch List, according to the April 2017 Special 301 Report published by the United States Trade Representative.
U.S. Manufacturers Beware
Heavy industry and low-end manufacturing are no longer the keys to sustainable growth for China’s increasingly educated and skilled workforce. To meet its innovation targets and to compete with global markets, China must first accelerate its higher-value-added and intelligence manufacturing capabilities including high-end equipment, integrated circuits, biomedicine, cloud computing, mobile Internet, and e-commerce.
The Made in China 2025 Action Plan is a specific action plan that seeks to address the many innovation-related targets within China’s FYP. Made in China 2025 aims to enhance China’s innovation, digitization, efficiency, and quality efforts, creating the foundation for globally competitive domestic capabilities and, ultimately, substituting foreign technology and products with indigenous ones. To that end, Made in China 2025 targets ten key sectors that will require additional government support:
- New Energy Vehicles
- Next-Generation IT
- New Materials
- Ocean Engineering and High-Tech Ships
- Power Equipment
- Agricultural Machinery
The Made in China 2025 Action Plan also outlines a roadmap for key technologies and its 2020 and 2025 localization targets, outlined below:
U.S. companies that focus on any of the above-listed sectors or key technology areas should remain especially vigilant.
According to a February 2017 Update to the IP Commission Report, the annual cost to the U.S. economy due to counterfeit goods, pirated software, and IP theft is estimated to be as high as $600 billion; economic espionage via cyber means accounts for an estimated $400 billion of that cost (estimated between 1%-3% of U.S. GDP).
Cyber Espionage (hacking) has become the most lucrative means to obtain sensitive data and IP from companies, and China uses this tactic notoriously. Notably, the Chinese military is directly involved with these hacking activities. On May 19, 2014, the U.S. Department of Justice indicted five Chinese military hackers for cyber espionage activities directed against multiple U.S. manufacturing companies.
Chinese IP-Theft Tradecraft
Using previous instances of IP theft, we can draw a few conclusions about China’s tactics:
- Short-lived Joint Ventures: China receives offers from foreign companies attempting to sell new technologies. China deliberates, decides the price is too expensive, and then counter-offers with a JV deal where the foreign entity gets a percentage of the ownership in exchange for a unit of their product. In good faith that the Chinese firm purchases more units at full price down the road, the foreign company trains the Chinese firm how to operate or develop the technology. However, in many cases, China commits IP theft by cloning the technology, legal actions by the foreign company fail, and the JV eventually dies off. The cloned technology then enters the global market at a much cheaper unit cost and strains the original foreign company’s ability to compete.
- Traditional Corporate Espionage: Sometimes the best way to get access to sensitive IP is the old-fashioned way: incentivize an insider to steal it for you. Traditional efforts to steal corporate information are not dead. The use of willing insiders by nation states and competitors continues to be both effective and difficult to detect. High-profile examples of Chinese insiders stealing sensitive IP from U.S. companies are detailed here and here.
Executive Actions and Considerations
If you are a company with valuable IP or other resources, keep these tactics in mind, especially as China strives to meet its ambitious innovation targets. Remaining vigilant against cyber espionage includes performing proper due diligence before any new hire or partnership; executing personnel controls such as separation of duties and job rotation to reduce collusion and fraud; and, finally, putting into place data loss prevention tools, which are technical controls that can flag and prevent valuable data from escaping your network.
Our next blog in this series will focus on China’s Green Growth initiatives, specific targets, and the various ways China will seek to meet its targets. Additionally, we will highlight the potential risks that U.S. and other global businesses may face in the wake of those efforts.
If you want to learn more about how to build and execute a risk management strategy that considers all types of cyber threats, contact us to schedule a Cyber Resolve training session in your boardroom or c-suite.