Winning the Race: The Case for Counterintelligence against Chinese Espionage

Image Source: Ars Technica

Aesop’s fable, “the Tortoise and the Hare,” famously warns us about the dangers of arrogance and complacency in the face of a determined adversary. Unfortunately, in the modern race for supremacy between the United States and the People’s Republic of China (PRC), it appears that American policymakers and executives have failed to heed this warning, bearing disastrous consequences for industries vital to U.S. national security.

Like the hare, the United States had long enjoyed a substantial lead in developing defense-industrial sectors and innovating dual-use technologies. However, Washington has since rested on its laurels and exposed itself to theft through its lax counterintelligence posture. Meanwhile, the PRC — marrying the patience and long-term vision of the fabled tortoise with the remarkable leapfrogging ability enabled by its pervasive industrial espionage — has now caught up and even surpassed the United States across a plethora of key defense and technology sectors. Therefore, if spying and stealing are how the PRC plans to ‘win the race’ in modern strategic competition, the United States can only hope to prevail by investing far more robustly in counterintelligence.

The Tortoise Charges Ahead: The Threat of Chinese Industrial Espionage

Just over a decade ago, the PRC hardly qualified as an industrial or technological competitor to the United States. According to the Information Technology & Innovation Foundation, the PRC’s composite innovation capabilities — including research and development (R&D) expenditures, venture capital (VC) investments, advanced-industry output, and patent output — were roughly 22% less “on a proportional basis (accounting for the size of its economy, population, etc.)” than that of the United States in 2010. Yet, as of 2020, the PRC can innovate nearly 40% more than the United States. Today, the PRC leads the world in researching 37 out of 44 critical technologies, surpassing the United States in key defense and dual-use industries such as drones, machine learning, biotechnology, artificial intelligence (AI), hypersonics, and nuclear energy. The United States leads research in only seven critical technology sectors, including computing and vaccines. 

Clearly, Washington’s longstanding technological-military supremacy is rapidly eroding. How did the PRC close the gap and, in many sectors, leap ahead so quickly? First, embodying Aesop’s tortoise, the Chinese Communist Party (CCP) has demonstrated a sustained, long-term commitment to becoming the world’s greatest superpower. Examples include programs like “Made in China 2025,” which explicitly outlines the CCP’s plan to become the top global producer in ten industries essential to national security — such as telecommunications, robotics, artificial intelligence, and aerospace — as well as the Belt and Road Initiative and other plans. Beijing seeks to control strategic supply chains, manipulate global and domestic market conditions, spread the CCP’s authoritarian value system, and bolster its military capabilities — all to reshape international norms to favor the PRC’s interests as part of its campaign for global hegemony. This is not just an attack on American economic leadership but also a threat to U.S. security and the world order.

Second, the tortoise has developed some crafty asymmetric tools to catch up. Given its long-term vision and centralized control, the CCP is using all levers of its national power — especially its intelligence apparatus — to undermine American industry in pursuit of economic and military superiority. In particular, the PRC has engaged in unparalleled state-sponsored corporate theft, utilizing the whole gamut of its espionage toolkit on poorly defended American companies and agencies — including through physical theft, cyber intrusions, and the recruitment of insiders. 

Conveying the scale and severity of this threat, FBI Director Christopher Wray declared, “[the PRC is] targeting our innovation, our trade secrets, [and] our intellectual property on a scale that’s unprecedented in history. They have a bigger hacking program than that of every other major nation combined. They have stolen more of Americans’ personal and corporate data than every nation combined.” In 2018, the FBI calculated the cost to the U.S. economy as between $225 and $600 billion every year. However,  estimates must also consider the long-term consequences of stealing R&D building blocks, the true impact of which will be seen five to ten years from now when Beijing already possesses technologies and weapon systems that Washington expected to be cutting-edge. For example, when accounting for the future developed products and eventual derivates from a 2019 Chinese cyber operation stealing defense and dual-use IP from 30 companies, the estimated loss is not billions but trillions of dollars. 

That number emerges from just one Chinese espionage operation — the FBI is already investigating nearly 2,500 additional Chinese operations and opens a new China-related counterintelligence case every 10 hours, representing a stunning 1,300% increase in Chinese economic espionage cases over the last ten years. 

The cost of these activities should not solely be measured in technologies developed or dollars stolen but also in the loss of American private and public-sector data. Beijing’s 2014-2015 hack of the U.S. Office of Personnel Management (OPM) opened the files of 22.1 million current and former federal employees to the eyes of the CCP. Likewise, the 2015 Anthem hack granted the PRC access to the insurance records of 80 million Americans. But the most pervasive was the 2017 Equifax hack, which harvested the personal information of 150 million Americans—roughly half of the American population. When coupled with countless other such operations at varying scales, one must conclude, as Director Wray has, “if you are an American adult, it is more likely than not that China has stolen your personal data.”

And make no mistake: the CCP is targeting military information as well. A Chinese spy and Chinese Air Force hackers were caught stealing “designs for cutting-edge military aircraft” in 2016. Today, countless Chinese airpower systems share eye-raising similarities with U.S. platforms, such as the F-16, F-22,  and F-35 fighters, the MQ-9 Reaper drone, and the C-17 Globemaster III. The PRC owes its fifth-generation fighter jet directly to the theft of American innovation. Beyond aircraft, the PRC has also stolen information on the U.S. Patriot missile system, the Littoral Combat Ship, nanotechnology, directed energy systems, space surveillance telescopes, tactical data links, and drone video systems, all of which Chinese hackers reached through the networks of private defense companies working with the Pentagon.

Whether you consider the PRC a near-peer or peer competitor is irrelevant because what is no longer deniable is that the PRC has made massive leaps forward and now definitively threatens U.S. supremacy thanks largely to the unprecedented theft of American civil, government, and military information. 

Waking the Hare: Recommendations for Revitalizing U.S. Counterintelligence

It takes two to race, so the story of the PRC’s rise cannot be told without addressing U.S. inaction. Like Aesop’s complacent hare, both the U.S. public and private sectors have mostly neglected to address counterintelligence as an avenue to combat Chinese theft, resulting in untold damage to America’s long-term economic and, by extension, national security. Given the keystone role of intelligence and espionage in the PRC’s long-term strategy to gain global technological, economic, and military supremacy, only a whole-of-society counterintelligence response can protect the United States from further harm. Policymakers should heed the following recommendations to offset the PRC’s approach.

First, policymakers across government should clearly signal, loudly and often, to American businesses—particularly those in key defense and dual-use industries—that the CCP is not a friend, but rather a competitor and even an adversary. For many businesses, the threat has not appeared sufficiently frightening to resist the allure of the Chinese market. They fail to understand that the CCP has no intention of allowing American companies to thrive in China or elsewhere longer than necessary. Given the PRC’s publicly-stated intent to monopolize all security-critical industries, the CCP’s long-term strategy is to steal priority technologies and information from American companies, then force that competition out of business— ultimately replacing every successful foreign company with a Chinese one. 

American companies and investors do business with Chinese companies at their own peril. Many large Chinese businesses are state-owned enterprises (SEOs) run directly by the CCP, and even Chinese companies that are not formally SEOs are, in practice, beholden to the whims of Beijing—willingly or not—due to laws that empower the CCP to compel them to provide open access and information. Accordingly, as a cost of operating within the PRC, foreign companies in joint ventures are forced to allow Communist Party “cells” to be established inside them. As a result, the CCP retains easy access to internal information, enabling the theft of technology, IP, and data locally and through the worldwide reach of company networks. Moreover, China’s arbitrary legal power has enabled the CCP to arrest dozens of foreign nationals doing business in China. But despite such an ominous business environment, the American Chamber of Commerce in South China noted that “more than 90% of the participating companies select China as one of the most important investment destinations, and 75% of the companies plan to reinvest in China in 2023.”

U.S. elected officials need not depend on the patriotism of American business executives to convince them to tread carefully with the PRC; officials need only appeal to companies’ self-interest. Like American Superconductor and countless others, any company that partners with Chinese SEOs risks catastrophic losses in earnings, jobs, and reputation. The problem is not a public-private conflict of interest but rather a lack of understanding or appreciation of the threat. 

Therefore, the U.S. government must do a better job sounding the alarm for a private sector either far too unaware of or unconcerned with the scale, scope, and reach of Chinese industrial espionage. Scary statistics can better inform, but they do not rouse a nation out of apathy—only its leaders can do that. With more comprehensive guidance from executive and legislative officials, corporate leaders can avoid, or at least more scrupulously navigate, sensitive business transactions with certain Chinese firms while better securing their networks, data, and other strategically pertinent information in defense of their competitive advantages. Even if American companies insist on harvesting the short-term profits of China’s market, they should do so in a way that does not invite long-term financial ruin for them nor strategic catastrophe for the United States.

Second, the United States should establish an international, interagency counterintelligence coalition to spread awareness and coordinate key defenses. In October 2023, this unprecedented threat finally elicited an unprecedented response. FBI Director Wray convened the first-ever joint public appearance of the intelligence chiefs from across the Five Eyes partnership—which includes the United States, the United Kingdom, Canada, Australia, and New Zealand—in Silicon Valley, the womb of the West’s innovation ecosystem. They warned that CCP espionage poses an existential threat to American innovation and democracy and discussed how to protect Western industries. 

This level of interagency coordination must continue and grow if the West has any hope of prevailing against the PRC’s industrial espionage. The FBI’s Office of Private Sector, which conducts outreach on this issue, should be scaled up dramatically and work with foreign partners to counsel businesses on best practices for counterintelligence. Already, as a result of these awareness campaigns, Director Wray has noticed a shift in attitudes—indeed, “Whereas private sector players once needed to be sold on the existence of a threat in the first place, […] they’re now hungry to learn how they and the FBI can fight back together.”

Third, Washington should develop a more rigorous national cybersecurity infrastructure. As recent history overwhelmingly indicates, private companies cannot fend off the entire might of the world’s second-largest economy on their own. Fortunately, they do not have to. The Department of Defense (DoD) possesses cyber capabilities that the private sector lacks. For example, DoD can identify thieves and target invasive methods more effectively, efficiently, and with greater reach, given the considerable expertise and resources at the DOD’s disposal. Homeland Security Presidential Directive 7 charged DoD with the protection of the Defense Industrial Base against espionage and cyber-attacks like those of the PRC. Still, the Directive does not allow DoD to assist private companies without Presidential approval. Companies should be able to request cybersecurity protection more easily, and DoD should be authorized to defend private networks, especially for companies involved in sensitive government contracts. 

Moreover, as a rising tide lifts all boats, additional funding to enhance U.S. cyber defense and counterintelligence capabilities—like those of the Defense Counterintelligence and Security Agency and the Cybersecurity and Infrastructure Security Agency—would bolster the protection of the private and public sectors alike.

At the very least, companies contracting with the government must be induced to employ stronger precautions through incentives and penalties. The United States government often subsidizes its R&D, so it should give preference to companies that demonstrate they can protect the product from being stolen. 

Fourth, American businesses must invest in ‘people security.’ One of the CCP’s favorite espionage tools is recruiting insiders because they understand, as former FBI Assistant Director of Counterintelligence Bill Priestap pointed out, “One malicious actor on the inside of a company can undermine almost any security system, be it physical or virtual.” Beyond technical protections and cybersecurity solutions, companies must consider a more expansive view of information security that addresses the people problem of industrial espionage. 

Rigorous hiring screenings can weed out individuals under the control of an intelligence service, but intelligence agencies like those of the PRC target those with “suitability” and “access”—thus, most people recruited already work at the company with the desired assets. Therefore, business leaders must understand the intelligence landscape to prevent and mitigate threats. For example, those in industries targeted as part of the PRC’s “Made in 2025” plan should be prepared to face a dedicated, persistent espionage campaign and work with the proper authorities to survive it. Companies should also identify their key assets—those that provide their competitive advantage and would sink the company if stolen—to prioritize protection measures around them. Businesses should also stay vigilant of those employees with financial or familial connections to competitor nations like China.

Meanwhile, ignorant insiders are just as much a threat as malicious ones, as human error causes 90% of data breaches. This is another reason why raising awareness of this threat throughout the private sector is a critical and inexpensive lynchpin in America’s counterintelligence defense. If companies understand the potentially crippling cost of dealing with the CCP, they will insist on instilling basic cyber and human security literacy among their employees. 

For these reasons, businesses in targeted industries should enact rigorous counterintelligence programs that simultaneously train employees to recognize potential espionage activities and provide employees with the knowledge, procedures, and tools needed to protect themselves and the company—particularly for employees handling strategically valuable assets. 

Winning the Race

Thankfully, the hare of the West is starting to notice the tortoise’s silent war. While the United States may never fully grasp the damage inflicted on its economic and national security by this historic theft, policymakers and executives can capitalize on the momentum ignited by the FBI and the Five Eyes to better educate and protect the American private sector through stronger counterintelligence, thereby curbing the heretofore heedless business dealings with the CCP that threaten American businesses, the United States, and the international order itself.

The author would like to thank Christian Trotti for his invaluable editing support and Professor Edward “Bill“ Priestap for his leadership in combatting this issue.