Pages

17 June 2023

Microsoft’s Big Footprint In China Is Out Of Step With U.S. Security Concerns

Loren Thompson

U.S. strategy identifies China as the most important threat to national security. Beijing’s steadily rising investment in military capabilities aimed at achieving dominance of the Western Pacific region is only one facet of this threat. The larger concern focuses on China’s bid to overtake and surpass America in emerging technologies such as artificial intelligence.

Against that backdrop, Washington has increasingly moved to limit the sharing of key technologies with China. However, some of America’s top tech companies have been slow to respond to growing U.S. security concerns. MicrosoftMSFT +0.9%, the world’s largest software maker, is a case in point.

Although Microsoft acknowledges that state-supported Chinese actors are exploiting its products to steal foreign intellectual property and penetrate vital infrastructure, it has not slowed its business activities in China. Quite the opposite. It sells over 70 products in the People’s Republic and employs thousands of software engineers—many of whom work on cutting-edge innovations.

Microsoft is not alone among U.S. tech companies in having a China presence, but it may be unique in the sensitivity and diversity of the work it funds. Even a cursory review of its activities raises red flags for U.S. national security.

Market presence. Microsoft opened its first office in China in 1992, at a time when U.S. leaders had some basis for believing that the world’s most populous country was evolving towards more democratic norms. Six years later, the company established Microsoft Research China, which has steadily expanded to sprawling campuses in Beijing, Shanghai and other Chinese cities.

The company today describes its Asia research arm, which is concentrated in China, as the company’s “most comprehensive R&D center outside of the United States, with over 6,000 scientists and engineers.” It freely admits that the role of these workers is to translate the company’s latest research findings into marketable products such as the Azure line of cloud computing services.

In 2014 Microsoft became the first foreign company to offer public cloud computing services in the Chinese market. It has continued to offer new products in China, including cybersecurity software such as Sentinel, Defender and Azure Firewall. The company announced in March of this year that it would begin offering OpenAI as part of its cloud services. Many of its products in the Chinese market are supported by or marketed through a network of 17,000 Chinese partners.

Code access. If China were a normal country, these moves might be regarded as textbook strategies for growing market share. But China is not a normal country—it is a rival of America for global power that increasingly resembles a totalitarian dictatorship. One aspect of its authoritarian behavior is a national cybersecurity law that demands government access to the source code and other proprietary details of products sold within the country.

The People’s Daily reported on March 5, 2003 that Microsoft had given the Chinese government access to the source code for its widely used Windows operating system. Windows has since been used to perpetrate attacks against a variety of foreign assets, including most recently U.S. infrastructure. Under the terms of the cybersecurity law, Microsoft potentially is required to reveal highly sensitive features of its product software, such as encryption keys.

Malware Vulnerabilities. Microsoft has increasingly warned that the unusual degree of access to intellectual property afforded by Chinese law and regulation has security implications for users of its products. The Chinese government insists that when software vulnerabilities are detected, they must be reported to the government before other organizations are alerted.

This demand is enforced even against domestic companies. For instance, Alibaba was sanctioned for reporting a vulnerability to Apache in its source code before it was reported to the government. Unfortunately, the government may be using such early reporting to support its own cyberattacks around the world. Microsoft expressed that fear in its 2022 Digital Defense Report:

Many of the attacks coming from China are powered by its ability to find and compile “zero-day vulnerabilities”—unique unpatched holes in software not previously known to the security community. China’s collection of these vulnerabilities appears to have increased on the heels of a new law requiring entities in China to report vulnerabilities they discover to the government before sharing them with others.

In other words, Microsoft has agreed to terms for its market presence in China that facilitate China’s efforts to compromise information systems around the world. Because Microsoft products are so ubiquitous and China demands unique access to their source code and potential vulnerabilities, they can be readily weaponized by state-supported hackers.

Artificial intelligence. There isn’t much that Microsoft develops that can’t be legitimately purchased in China. In April, it began offering Microsoft Teams to Chinese customers. But perhaps the most sensitive products the company works on in the People’s Republic are those involving artificial intelligence.

Microsoft offers over two dozen AI products in China, mainly associated with its cloud services. More importantly, it funds the development of artificial intelligence software and applications at research campuses in the country. Thousands of Chinese employees are engaged in such work, so the company in effect is assisting China in the development of its AI expertise.

That isn’t the only way China’s push to lead in AI is facilitated. Because of the way that the Chinese cybersecurity law works, the company can’t incorporate items like OpenAI large language models into the products offered in China unless it gives its employees and the government access to relevant source code.

Given China’s past behavior with other emerging technologies, it is a safe bet that said access is helping the country to develop its own domestic champions in artificial intelligence, that being a declared objective of the present five-year plan.

Microsoft may be waking up to the danger: the Financial Times reported on June 10 that Microsoft is beginning to move its top AI researchers out of China to a new research campus in Canada. But that won’t reverse the damage already done to U.S. security by Microsoft’s presence in China.

My think tank receives funding from several companies engaged in aspects of information technology such as cybersecurity.

No comments:

Post a Comment