As global society heads deeper into the digital age, no one doubts that cyber-attacks, data hacking, and the theft of intellectual property will increase. While these crimes recognize no borders and can be committed by anyone from any country, China is widely acknowledged by the FBI as among the biggest perpetrators. This is because, from its zero-sum lens, China sees the United States as its most important economic competitor.
This creates a dilemma for American companies that are China’s economic partners. American business leaders tend to be more idealistic than their Chinese counterparts and often assume too many cultural similarities, which can cause them to overlook an insider threat. Combined with China’s proven history of using state resources to put American companies out of business through spying and disinformation campaigns, American businesses are nearly always at risk of being exploited by a foreign government, Chinese or otherwise.
Below, Noelle Borao, a social scientist whose focal research is innovation and IP theft, talks more about the insider threat to commerce from adversarial countries like China.
How common is the insider threat to American companies that do business with China today?
Based on my research, over 70% of technology and information theft via various modalities is perpetrated by an organization’s insiders, broadly defined as those who the organization knows and trusts. This may include employees, C-suite executives, consultants, advisors, and contractors – even those who are contracted for a very short period of time. They typically have a business, political, or familial ties to China, and more often than not, perpetrators do not act alone. They collaborate with accomplices on the outside, like individuals and networks from state-owned Chinese companies. They can be of any ethnicity.
What are some of the ways that a company can protect its innovations and data against an insider threat?
While the answers are more complex than the space allows, a few are particularly easy to understand. First, employees must be made aware of the insider threat. Yet leadership can be hesitant to talk about it because some may perceive it as culturally insensitive. Creating an ongoing plan for raising employee awareness, one that keeps these concerns in mind but does not denigrate people for the actions of a few, would be an excellent start.
Next, each company, no matter its size or industry, should conduct a thorough review of its vulnerabilities and risks, from cyber to physical security. Typically this is viewed as a cost rather than a growth function, which I think is a mistake because security must be viewed as a part of revenue protection. CEOs and CFOs are particularly prone to this mistake, but a review should be done at least once a year, if not twice.
Also integral is the development of a protocol that deliberately bakes into a company’s processes and procedures the steps to detect and surface the potential for insider threats. Additionally, the roles of CIO and CISO (chief information security officer) should be elevated to the C-suite rather than just being roles with vanity titles. A heightened ability to implement strategies to oversee people, processes, and technology will help a company to react quickly if a threat is detected. However, this may run afoul of employees’ privacy concerns, and in many ways, democratic societies can be easily exploited by authoritarian countries for this reason.
What is the future of the business relationship between American and Chinese companies?
Capital is so global that it is hard to geographically segment companies nowadays. For decades, we assumed that the more China did business with the U.S., the better its human rights and economic freedom levels would become. This has obviously not proven correct – at least not at this point in time. Given the two countries’ deep entanglement, the only solution I see is for American businesses to convince their Chinese counterparts to change course and become responsible stakeholders in the global business environment. They can do this through various incentives and disincentives. Businesses must lead the way, and conscientious consumers can help them.
In the end, the best defense begins with information and an unflinching assessment of where your company stands in its vulnerabilities. The more you understand the threat environment, the more you can protect your company.
Noelle Borao is a social scientist whose current research focus is innovation, under the tent of U.S.-China affairs. She is a California co-chair of No Labels. Her views are her own.
