OPINION:
American companies that do business in China know there are strings attached. They know they will be required to have Chinese Communist Party-affiliated executives as members of their management and marketing teams and even their boards of directors.
They know — or ought to know — that they will surrender their proprietary methods, materials and marketing information as a condition of doing business and that if those executives leave their companies and use the knowledge they’ve gained to form competing firms, their suppliers will sell to them for less than to the American firm.
It’s one thing if the American company is making tomato sauce or stuffed animals. The disadvantages may be acceptable for the growth in market share. It’s quite another if the company is Microsoft.
Microsoft has been in China for 20 years now. It works on engineering projects, research initiatives, and expanding its software and artificial intelligence sales. In the course of doing this, it has become dangerously involved in China’s tech ecosystem.
China’s National Cybersecurity Law requires data to be stored in China and that “organizations and network operators submit to government-conducted security checks,” wrote Lauren Maranto of the Center for Strategic and International Studies, which has expressed concern about the national and personal security implications of Microsoft’s involvement in the Chinese tech community.
This, other experts say, allows China to demand access to computer program source codes and to look even further into the company’s vast array of intellectual property.
One doesn’t have to be a tech genius to understand the threat this could pose for America’s economic, technological and even strategic security. A report earlier this month from the federal Cyber Safety Review Board hammered Microsoft for having an inadequate security culture that permitted Chinese hackers to breach email accounts of senior U.S. government officials, including Secretary of Commerce Gina Raimondo.
The report revealed that Microsoft had no idea how the government’s encrypted email system got hacked. It criticized Microsoft’s “shoddy cybersecurity practices, lax corporate culture” and “a “deliberate lack of transparency” and said its cybersecurity structures “required an overhaul.”
Another report, released in October 2022 by the Cybersecurity and Infrastructure Security Agency, the National Security Agency and the FBI, identified the top Common Vulnerabilities and Exposures since 2020 to Chinese state-sponsored cyber actors. The report, which focused on those that “have actively targeted US and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks,” found that 20% of the most vulnerable systems were Microsoft.
So you have several government agencies with diverse missions all expressing concern about Microsoft’s involvement with China and its implications for security within those missions. It is clear from the reports mentioned above that the agencies involved do not see this as a close call. Anytime you see “shoddy,” “lax,” “lack of transparency” and “needs an overhaul” in proximity, you can assume things are amiss.
At this point, we must assume China has its tentacles deep into Microsoft’s technology, intellectual property and source codes. We must assume the worst in terms of potential dangers, and we must assume the company to this point has not been candid about the challenges it has faced and will face in trying to protect the U.S. from predations from China.
The government must respond accordingly. If Microsoft can’t make real transparency and accountability and robust risk mitigation its top priorities in the very near future, if it can’t embark on that “overhaul” of security structure recommended by the Cyber Safety Review Board, then perhaps the government should consider how much it should rely on Microsoft products going forward.
The stakes are too high and the risks too significant to allow what seems to be the current approach to go forward.
• Brian McNicoll, a freelance writer based in Alexandria, Virginia, is a former senior writer for The Heritage Foundation and former director of communications for the House Committee on Oversight and Government Reform.
Please read our comment policy before commenting.