Recent prominent data breach incidents, such as hacks of the Office of Personnel Management, airline passenger lists and hotel guest data have made clear how vulnerable both public and private systems remain to espionage and cybercrime. What is less obvious is the way that a foreign adversary or competitor might target data that is less clearly relevant from a national security or espionage perspective. Today, data about public sentiment, such as the kinds of data used by advertisers to analyze consumer preferences, has become as strategically valuable as data about traditional military targets. As the definition of what is strategically valuable becomes increasingly blurred, the ability to identify and protect strategic data will be an increasingly complex and vital national security task.
This is particularly true with regards to nation-state actors like China, which seeks access to strategic data and seeks to use it to develop a toolkit against its adversaries. Last month, MI6 chief Richard Moore described the threat of China’s “data trap”: “If you allow another country to gain access to really critical data about your society,” Moore argued, “over time that will erode your sovereignty, you no longer have control over that data.” And most governments are only just beginning to grasp this threat.
In testimony to Congress last month, I argued that in order to defend democracy now, we need to better understand how particular datasets are collected and used by foreign adversaries, especially China. And if we’re to properly defend strategic data (and define and prioritize just which datasets should be protected) in the future, we need to get creative about imagining how adversaries might use them.
The Chinese state’s use of technology to enhance its authoritarian control is a topic that has received considerable attention in recent years. The targeting of the Uyghur people in Xinjiang, aided by invasive and highly coercive use of surveillance technology, has been a focal point of this discussion. So, understandably, when most people think about the risks of China’s “tech authoritarianism” going global, they think about how similarly invasive surveillance can go global. But the real problem is far more significant and far less detectable because of the nature of the digital and data-driven technologies concerned.
The Chinese party-state apparatus is already using big data collection to support its efforts to shape, manage and control its global operating environment. It understands that data that seems insignificant on their own can carry enormous strategic value when aggregated. Advertisers may use data on public sentiment to sell us things we didn’t know we needed. An adversarial actor, on the other hand, might use this data to inform propaganda efforts that subvert democratic discourse on digital platforms.
The U.S. and other countries have rightly focused on the risk of malicious cyber intrusions — such as the aforementioned OPM, Marriott and United Airlines incidents that have been attributed to China-based actors — but data access needn’t be derived from a malicious intrusion or alteration in the digital supply chain. It simply requires an adversary like the Chinese state to exploit normal and legal business relationships that result in data-sharing downstream. These pathways are already developing, most visibly through mechanisms like the recently enacted Data Security Law and other state security practices in China.