Sens. Marco Rubio, R-Fla., and Tom Cotton, R-Ark., this week introduced a bill that would prohibit the U.S. government from contracting with companies that use equipment or services from Chinese telecommunications companies Huawei and ZTE. The two members of the Senate Intelligence Committee said they are proposing the bill because of concerns that the companies enable Chinese espionage.
“Huawei is effectively an arm of the Chinese government, and it’s more than capable of stealing information from U.S. officials by hacking its devices,” Cotton said in a press release. “There are plenty of other companies that can meet our technology needs, and we shouldn’t make it any easier for China to spy on us.”
But pointing the finger at Huawei and ZTE is oversimplifying the Chinese industrial espionage threat. Although the concerns are certainly valid, it is important to understand that Huawei, in many respects, represents the tip of a much larger iceberg that has gone undetected in the mainstream media for the last 25 years.
What follows is a detailed look at the roots of China’s orchestrated industrial espionage efforts, the scale and scope of which are truly daunting.
.. -. … .. -.. . / .— — -…
During the height of the Cold War, no other nation could match the desire and ability of the Soviet Union’s KGB to steal American corporate secrets, particularly technology secrets. That has since changed. In today’s world, China has replaced and improved upon the KGB model of industrial espionage to the point that China now represents the single most capable threat to U.S. technology leadership and national security.
When viewed through the lens of China’s orchestrated, government-backed industrial espionage program, incidents that may appear to be isolated crimes based on an individual’s desire for financial gain take on new meaning. The implications for corporate security and intellectual property protection are profound.
But there is much more to China’s quest for U.S. technology. The People’s Republic of China (PRC) has obtained a major advantage that the former KGB did not enjoy during the Cold War: unprecedented access to American universities and industry.
At any given time there are more than 100,000 Chinese nationals in the U.S. attending universities and working throughout U.S. industry. Although many of these individuals are not spies, the fact remains that they are a major component of the PRC’s industrial intelligence collection operation. In fact, some might be surprised to learn that there are very few professional PRC intelligence operatives actively working on collecting U.S. technology secrets compared to the number of PRC civilians who are actively recruited (either by appealing to their sense of patriotism or through other more coercive means) to routinely gather technology secrets and deliver those secrets to the PRC.
Thus, the PRC employs a wide range of people and organizations to do its dirty work abroad, including scientists, students, business executives and even phony front companies or acquired subsidiaries of U.S. companies. During 1996, for example, more than 80,000 PRC nationals visited the U.S. as part of 23 different delegations and many likely were given specific collection requirements by the Chinese Ministry of State Security (MSS).
It is in the PRC where the military-industrial complex truly comes to life. Nowhere is this more evident than in the 1997 “16-Character Policy,” which makes it official PRC policy to deliberately intertwine state-run and commercial organizations for the benefit of PRC military modernization. In their literal translation, the 16 characters mean as follows:
Jun-min jiehe (Combine the military and civil)
Ping-zhan jiehe (Combine peace and war)
Jun-pin youxian (Give priority to military products)
Yi min yan jun (Let the civil support the military)
The 16-Character Policy is important because of what it does for the PRC’s industrial and economic espionage program: it provides commercial cover for trained spies who work directly for the PRC’s military establishment. And their only mission in life is to gain access to and steal the high-tech tools and systems developed by the U.S. and its Western allies.
The two primary PRC organizations involved in actively collecting U.S. technological secrets are the Ministry of State Security (MSS) and the Military Intelligence Department (MID) of the People’s Liberation Army (PLA). The MSS relies upon professionals, such as research scientists and others employed outside of intelligence circles, to collect information of intelligence value. In fact, some research organizations and other non-intelligence arms of the PRC government direct their own autonomous collection programs. Many of these so-called “princelings” — named for their political family connections within the PRC’s Communist Party — use their political and business connections abroad to surreptitiously acquire technologies developed by U.S. firms. They employ a wide range of tactics, including managing covert collection operations, acquiring the assets of various U.S.-based commercial businesses, and even establishing front companies to gain access to sensitive and proprietary technologies.
Recent studies suggest that there are currently more than 3,000 corporations operating in the U.S. that have ties to the PRC and its technology collection program. Many are U.S.-based subsidiaries of Chinese-owned companies. And while in the past they were relatively easy to identify, recent studies indicate that many have changed their names in an effort to distance themselves from their PRC owners.
One case in 1993 involved a man named Bin Wu, who was convicted of transferring restricted night vision technologies developed in the U.S. to his MSS masters in the PRC. Wu, a pro-Western professor who once taught in China, had been given the option by the MSS of either helping them acquire sensitive technologies or going to jail for supporting the pro-Western Tiananmen Square uprising. He chose freedom and was instructed to travel to the U.S. and establish himself as a legitimate businessman.
Wu founded several front companies in the Norfolk, Virginia, area. He then actively solicited information from various U.S. companies and made many outright purchases of advanced technologies, including night vision equipment. The technologies were then shipped to the PRC.
U.S. investigations into Chinese espionage show that Wu was part of a much larger community of PRC sleeper cells. Many were not professional spies. Rather, they were simply business professionals or academics who were managed by MSS agents and given collection requirements based largely on the U.S. military critical technology list. In fact, during the 1990s these sleeper cells were used to establish front companies that would eventually target the Aegis missile system. In particular, the PRC seems to have been interested in acquiring the proprietary software that formed the basis of the command and control system for the Aegis.
In testimony before the Joint Economic Committee of the U.S. Congress on May 20, 1998, Nicholas Eftimiades, a former member of the U.S. intelligence community and the author of “Chinese Intelligence Operations,” confirmed the organizational methods of China’s industrial espionage program outlined above. According to Eftimiades:
To collect technology and trade related information, China’s premier intelligence services…co-opt vast numbers of Chinese citizens living or traveling overseas…
First, co-optees are recruited in China and asked to acquire the targeted technologies while they travel abroad. Second, American companies with access to the desired level of technology are purchased outright by Chinese state-run firms. In intelligence circles this is considered a bold or aggressive operation. Third and most commonly, high-technology equipment is purchased by recruited agents running front companies. China’s most productive method of legally acquiring foreign technology is to send scientists overseas on scholarly exchange programs.
Much of China’s espionage efforts in industrialized nations are focused on mid-level technology, that may or may not be cleared for export. The focus of this economic espionage on midlevel technology is because China’s technological industrial infrastructure is still 10-15 years behind the United States…[i]
Many PRC domestic intelligence activities are directed against foreign businessman or technical experts. The data elicited from unsuspecting persons or collected by technical surveillance means is used by Chinese state-run or private enterprises. Prominent Beijing hotels, such as the Palace Hotel, the Great Wall Hotel, and the Xiang Shan Hotel, are known to monitor the activities of their clientele. In addition, the Ministry of Public Security (MPS) owns the Kunlun Hotel and probably monitors its guests. And anecdotal evidence provided to officials by Chinese prostitutes who frequent the Jianguo Hotel suggests that the guest rooms used by foreign businessmen contain microphones for eavesdropping. The Palace Hotel is owned in part by the PLA’s General Staff Department. One of the American contractors for the Xiang Shan Hotel had a series of verbal battles with PRC officials as it was being built. The Chinese demanded that additional wires be installed in each room. The purpose of the wires was to tie in microphones.
.. -. … .. -.. . / .— — -…
The new intelligence game is primarily about economic competitiveness. And it is a trend that is not likely to change anytime soon, according to the Office of the National Counterintelligence Executive report. In fact, even during times when new innovations in the IT industry were scarce, the demand for information technology trade secrets continued unabated. And the reason for that is clear: investment in information technologies has a direct correlation to a company’s potential market capitalization. IT is the new gold standard.
Former CIA director Robert M. Gates told a conference of business executives in Oct. 2000 that the so-called “business spy threat” is real and growing. “They want technological production and marketing information, and they usually share what they get with their country’s companies. To get this sensitive information, government intelligence services use many of the techniques developed during the Cold War,” he said.[ii] These techniques include bugging telephones and breaking into the hotel rooms of U.S. businessmen and businesswomen, and even planting moles in companies to steal or surreptitiously download files.
The case of Junsheng Wang and Bell Imaging offers an interesting example of the melding of international espionage and the threat to proprietary trade secrets. On April 26, 2001, Wang and Bell Imaging pled guilty to theft and copying of trade secrets belonging to Acuson Corp. A related company, Belson Imaging Technology Company Limited, a joint venture based in the People’s Republic of China, was also charged in the case with copying trade secrets. In pleading guilty, Wang and Bell Imaging admitted that Wang took without authorization and copied for Bell Imaging a document providing the architecture for Acuson’s Sequoia ultrasound machine. According to Wang’s plea agreement, he had been able to obtain access to the Acuson trade secret materials because his wife was employed as an engineer at the company and she had brought the document into their home. Wang said he copied the document and took it with him in 2000 on business trips to the People’s Republic of China for Bell Imaging. Wang was arrested carrying documents containing Acuson trade secrets at San Francisco International Airport as he was about to board a flight for Shanghai.[iii]
In September 2004, the FBI arrested 34-year-old Yan Ming Shan, of Daqing, China, on charges that he deliberately accessed, with the intent to defraud, computers and proprietary software belonging to 3DGeo Development, Inc., a Mountain View, Calif.-based company that develops software used to survey land for sources of natural gas and oil. Shan was arrested as he was about to board a flight to China.
3DGeo employed Shan from April through Sept. 2002 under an agreement with one of its customers, PetroChina, a Chinese company with a division named DaQing Oil. Shan routinely traveled to California for training on 3DGeo’s software. However, on Sept. 11, 2002, two 3DGeo employees noticed Shan creating a large electronic master file consisting of multiple files that the company considered proprietary trade secrets. Shan then changed the attributes of the file so that it became invisible. The two 3DGeo employees then searched through the files that Shan had placed in the master archive and discovered that the files contained proprietary software source code and programs that Shan was not authorized to have access to. And although all of the files were protected by passwords, company officials discovered that Shan had used a software cracking program to uncover the passwords, which he then stored in a master file on his personal laptop computer.
According to the criminal complaint against Shan, the information he obtained represented “the root value of 3DGeo and is not a product that 3DGeo would ever sell or disclose without very specific use restrictions.”[iv] On December 16, 2004, U.S. District Court Judge Jeremy Fogel sentenced Shan to prison for two years minus time served while awaiting trial.
Chinese government-owned companies have also been involved in schemes to steal the intellectual property of U.S. companies. And they have done this using the corporate equivalent of sleeper cells — foreign executives hired by U.S. companies on work visas, as well as naturalized American citizens who then establish U.S. companies for the purpose of gaining access to the proprietary data of other U.S. firms.
The U.S. Department of Justice on May 3, 2001, arrested and charged two Chinese nationals and a naturalized Chinese-American citizen with conspiring with a Chinese state-owned company to steal proprietary source code and software from Lucent Technologies Inc. As of this writing there has been no court decision in the case. However, according to the federal indictment, Hai Lin and Kai Xu, both of whom were employed at Lucent as “Distinguished Members” of the company’s technical staff, colluded with Yong-Qing Cheng, a naturalized American citizen and vice president of a U.S. optical networking company, to form a new business based in Beijing, China, using stolen Lucent technology.
The criminal complaint filed against the three executives alleges that they approached a Chinese state-owned company, named Datang Telecom Technology Co., seeking to establish a joint venture, which they stated in an e-mail would become the “Cisco of China.” Lin, Xu and Cheng then formed a company called ComTriad Technologies Inc., and with $1.2 million in funding from Datang, the two companies formed DTNET — a joint venture approved by Datang’s board of directors. There was just one problem. The Internet-based voice and data services product that Lin, Xu and Cheng were developing on behalf of the new venture (dubbed the CLX 1000) was based entirely on the proprietary software in Lucent’s PathStar Server, a product that earned Lucent more than $100 million during the previous year. It also was the very same technology that Lin and Xu had been working on while employed by Lucent.
Justice Department prosecutors allege that FBI searches of the computers used by the defendants reveal that on Jan. 21, 2001, Lin sent an e-mail to a representative of Datang advising that the “bare src” – allegedly referring to a portion of the PathStar source code – had been transferred to the ComTriad password-protected Web site, and that more source code would follow.
While it is not clear if Lin and Xu became aware of an investigation into their dealings or if they simply became paranoid, once the Lucent source code had been uploaded to the Web the two defendants began taking steps to hide their association with ComTriad. According to the Justice Department, they removed their names from the publicly-filed ComTriad articles of incorporation and obtained a post office box as the new mailing address for ComTriad. In addition, Cheng removed his name from an Internet registry record linked to the password-protected ComTriad Web site (www.comtriad.com) and Lin and Xu began using ComTriad e-mail addresses that did not identify them by name. They also used their wives’ names to obtain cell phones for ComTriad business. Lin and Xu then went as far as to assume the aliases Howard Lin and Roy Xu when communicating with the public regarding ComTriad business.
All three men were arrested on May 3, 2001 at their homes in New Jersey. When FBI agents searched their houses they seized large quantities of the component parts of the PathStar Access Server, including software and hardware, as well as schematic drawings and other technical documents related to the PathStar Access Server marked “proprietary” and “confidential.” Among other things, the agents seized a modified PathStar machine from Lin’s basement. Although presumed innocent until proven guilty, all have been indicted by a grand jury in Newark, New Jersey.
In a superseding indictment announced by prosecutors on April 11, 2002, the damage caused by this alleged economic espionage case goes well beyond Lucent. According to prosecutors, several other companies had licensed portions of their proprietary technology to Lucent for use in the PathStar Access Server. Those companies included Telenetworks, a business unit of Next Level Communications, headquartered in Rohnert Park, Ca.; NetPlane Systems, Inc. (formerly Harris & Jeffries, Inc.), a wholly-owned subsidiary of Mindspeed Technologies, Inc., headquartered in Dedham, Mass.; Hughes Software Systems, Ltd., a division of Hughes Network Systems, Inc., headquartered in Gurgaon, India; and ZiaTech Corporation, a wholly-owned subsidiary of Intel Corporation, headquartered in San Luis Obispo, Ca.
“This was a grave intrusion upon American business and technology,” said U.S. Attorney Robert J. Cleary in a statement shortly after the arrests were made. “In the information age, it is difficult to imagine anything more dangerous to a company’s business interests.”[v]
As is evident from the above case, individual acts of economic espionage can impact multiple companies. That was certainly the case in November 2001, when FBI agents arrested two San Jose, Calif.-based businessmen as they were about to board a plane to China carrying suitcases full of trade secret documents totaling more than 8,800 pages and $10,000 in equipment that they had allegedly stole from four U.S. high-tech companies.
When FBI agents arrested Fei Ye and Ming Zhong, they discovered microchip blueprints and computer aided design scripts from Sun Microsystems Inc., NEC Electronics Corp., Transmeta Corp. and Trident Microsystems Inc. Both once worked at Transmeta and Trident. Likewise, Fei Ye also worked at Sun and NEC. Prosecutors alleged that both men, originally from China, planned to use the stolen technologies to start a microprocessor company with the assistance of the Chinese government.
According to the indictment filed on December 4, 2002 in a U.S. District Court in the Northern District of California, Ye and Zhong established Supervision Inc. (a.k.a Hangzhou Zhongtian Microsystems Company Ltd., and a.k.a Zhongtian Microsystems Corp.) to sell microprocessors in China. They also allegedly sought the direct assistance of the Chinese government and stated in their corporate charter that their company would assist China in its ability to develop super-integrated circuit design, and form a powerful capability to compete with worldwide leaders in the field of integrated circuit design.[vi]
Although the indictment does not charge any government entity of China, it does suggest that there was considerable interest in and potential support from the Chinese government. A so-called “panel of experts,” for example, found that the Supervision project had “important significance” for China’s high-level embedded CPU development program and integrated circuit industry, and recommended that “every government department implement and provide energetic support.”[vii]
[i] Statement by Nicholas Eftimiades, Author, “Chinese Intelligence Operations,” before the Joint Economic Committee, United States Congress, May 20, 1998.
[ii] Margaret Johnston, “Business spy threat is real, former CIA chief says,” IDG News Service, Oct. 17, 2000.
[iii] U.S. Department of Justice Press Release dated April 26, 2001.
[iv] United States of America V. Yan Ming Shan, United States District Court Northern District of California, Sept. 18, 2002, p. 4.
[v] U.S. Department of Justice, “Lucent Scientists Arrested, Charged with Stealing Tech Secrets for Joint Venture with China-controlled Company,” May 3, 2001.
[vi] United States of America V. Fei Ye and Ming Zhong, U.S. District Court, Northern District of California, San Jose Division, Dec. 4, 2002, p. 3.