For years, the national and cyber security communities have technology companies like Microsoft,
Amazon and Oracle that escalating tensions between the
United States and
China would ultimately make them between one of their largest customers, the U.S. government, and access to the state-controlled Chinese market. U.S. companies have long had to balance their values with China’s authoritarian demands, such as . That was just the tip of the iceberg. Now, a to China’s state secrets law that takes effect in May could very well force the issue. The law will require business entities in China to identify and disclose to the government “ ,” or non-classified information that the Chinese Communist Party (CCP) deems relevant to its national security. The revision is purposely ambiguous as to what qualifies, allowing China to force U.S. tech firms (and, of course, other U.S. companies operating in China) to turn over proprietary information that could be used to target the U.S. government or impact the data security of Americans writ large. This becomes a difficult but binary choice for U.S. tech companies that have invested billions of dollars to build up their presence in China. If U.S. tech companies refuse to comply, they risk losing access to the vast Chinese market. If they do comply, they risk threatening U.S. national security. To eliminate that risk, the Biden administration and
Congress should — at a minimum — consider barring technology companies that comply with the new rule from pursuing new government contracts. Technology companies like Microsoft, Amazon and Oracle are deeply embedded in the U.S. government and enjoy significant advantages thanks to their incumbency in government contracts.
Microsoft and Oracle, for example, face for nearly a quarter of their federal contracts. In many cases, secondary IT providers “compete” for the government’s business but use the same underlying systems, ensuring that no matter which bidder is selected, firms like Microsoft and Oracle always win. These companies also have significant in China and large that work with researchers and universities with direct to the Chinese government and
MILITARY. These operations risk compromise to America’s national security interests today: Chinese familiarity with and access to information about operating systems that are at the core of our defense enterprise is, manifestly, a source of vulnerability. As President
Xi Jinping has consolidated power, the CCP has imposed increasingly strict rules on foreign businesses operating in China and mandated their compliance to maintain market access. For U.S. technology companies, that has meant that force them to provide the state advance notice of their cybersecurity vulnerabilities, allowing state-affiliated hackers to exploit zero-day flaws before a patch is released. It has also meant compliance with a that opens many of the products they offer in the United States — including cybersecurity tools sold to the U.S. government — to intrusion by state-affiliated hackers. Microsoft itself has admitted that with these rules has directly . That threat risk looms larger with the new requirements. U.S. technology companies that conduct research and development in China will now also be required to abide by the new “work secrets” rule if they want to continue to reap the rewards of the Chinese market or use to develop products and features banned in China but used globally, including in the United States. If the past is prologue, these companies will choose to comply. China’s hacking and espionage program is already , and top U.S. intelligence officials have voiced their about China’s ability to launch a significant cyberattack against U.S. critical infrastructure. Increasing the flow of data from the U.S. government’s largest and most important technology partners directly to the CCP exponentially increases that risk. To mitigate this, the Biden administration and Congress must step in — the same way they have in recent weeks to improve — to stop Americans’ from being sold to foreign adversaries like China and address the threat that Chinese pose to national security. Any action needs to reflect the reality that it is increasingly becoming unfeasible for the companies trusted with U.S. national security contracts to maintain significant operations in China. Lawmakers should adopt new measures to transition to a procurement system that would disqualify any company that complies with China’s state-mandated disclosures from consideration for future government contracts. Requiring companies to choose between the United States and China will ensure the technology partners the U.S. government chooses share its national security priorities, helping make the tools it relies on safer and more secure.