Insight

Starting in early 2022, KSG has advised MNCs on how to securely de-risk China enterprise operations while maintaining a competitive market position.

A recent FT article highlighted a trend KSG witnessed starting early last year. Multinationals are moving to fully localize their data and separate IT networks and applications in China. The proximate cause of these moves is pinned on China’s increasingly stringent (but intentionally ambiguous) data privacy and anti-espionage laws, increasing political tensions, and, most recently, raids of foreign MNCs offices.

After recent raids spooked some western consultancies, more firms are looking to “de-risk” their enterprise architecture in China. However, not all businesses can fully separate their operations so easily, and many recognize that these decisions may not apply universally to all applications, data, or cross-border services.

Key Principles That Should Frame any China-for-China Strategy:

1. Navigate the Political Landscape: Each industry’s threat profile is different, and each requires its own course towards safety.

2. Target Resilience: Ensure you have the flexibility to manage future uncertainties by preserving optionality when possible 

3. Evaluate Enterprise Architecture: Determine how to shape the relationship between critical data storage, admin access, business impacts, and network dependencies.

4. Prioritize Strictly: Identifying what capabilities to move and duplicate now will reduce implementation risk.

Business Risks Facing MNC Operations in China

1. Technical Risks: Chinese tech increasingly found throughout the global value chain will create "Bug Doors.” Moves to bifurcate tech stacks will result in more offensive hacking between the PRC and the rest.

2. Insider Trust: Arbitrary enforcement of local laws risks the security of IP and the safety of employees and executives—the PRC is sliding back to join other autocracies.

   1. Insiders are likely victims of state-backed coercion and manipulation, rather than ill-willed employees.

   2. The MSS offers cash payouts to anyone who reports unpatriotic behavior or actions that “endanger national security.” It’s unclear if disgruntled employees reporting employers for perceived actions against China’s interest will be accepted.

3. Political & Operational Risks: China’s crackdown on capital and increasingly concentrated political power risks stable corporate operations.

   1. PRC will try to expand its market through mercantilist trade policy.

Strategic Threat Modeling Should Drive De-Risking Decisions

Understand what threats are most likely to present a significant impact on your value chain and prioritize enterprise operations accordingly.

This assessment should answer three key questions:

1. Risks Mitigated: To what extent would localizing a given application, service, or infrastructure element mitigate plausible PRC risks?

2. Risks Introduced: To what extent would localizing introduce new risks, and how are those evaluated and controlled?

3. Operating Model Impact: What impact would localizing have on firm operating model, customer delivery, and competitive position?

Firms should apply the following decision rule: Prioritize those applications for PRC localization that maximize known risks, minimize new risks, and limit operating model impact.

Across all related enterprise architecture de-risking decisions, firms should consider the following options: adjusting logical controls to databases, applications, and systems; creating hybrid structures for specific databases or apps with instances inside and outside China; or conducting a full separation of enterprise networks and connectivity.

These decisions are complex, hard to tangibly justify, and costly. They require the input and buy-in across the executive team with a clear, actionable roadmap that reflects priority mitigations. All activities should be tightly managed internally with senior leadership guidance and sound operational security measures. Lastly, since these are multi-month/year initiatives, firms should regularly adjust their strategies given changes in the threat model and security environment.

For more information or assistance on these issues, please reach out to intel@ks.group.

Forwarded this ExecBrief by a friend? Click below to sign up for our weekly dispatch.

Global Scan

Geopolitics

1. Beijing Tells Chinese People to Mobilize for Counter-Espionage: Following the passage of vague new espionage laws in July, the Ministry for State Security aims to establish channels for citizens to report suspicious activity, including a rewards system.

2. Italy Looks to Withdraw from China’s Belt and Road Initiative: As the only Western member, joining in 2019 was an “atrocious” decision, Italy’s defense minister says, as the new Meloni seeks to leave it without damaging ties with Beijing. Analysts note the initiative did little to boost exports, while Chinese exports to Italy soared.

Cybersecurity

1. UK NCSC Releases “Shadow IT” Guidance: Enabling system owners and technical staff to mitigate the presence of unknown (and therefore unmanaged) IT assets within their organization.

2. Norwegian Government Grapples with Zero-Days in Ivanti Software: The company found out about two serious vulnerabilities in the same software within days of each other, prompting rapid patch releases and advisories from the US Cybersecurity and Infrastructure Security Agency (CISA). Multiple government ministries were affected.

3. Cloud Provider Facilitated 17 State Hacking Groups: Researchers at Halcyon assess that virtual private service provider Cloudzy hosts malicious activity from a range of actors. The company is largely staffed by employees of a Tehran-based company, accepts cryptocurrency payments, and requires no identity verification from its customers.

Strategic and Emerging Technology

1. Companies Set Sights on Lunar Exploration and Extraction: The Space Resources Roundtable saw record attendance by entrepreneurs looking to facilitate NASA’s push for landing, construction, facilities, and mining on the moon’s surface.

2. Super Superconductors? Don’t Believe the Hype: Despite a Korean team’s recent reported breakthrough on room-temperature superconducting—which would revolutionize electricity transmission, storage, and computing—experts remain skeptical.

3. Heat-Based HADAR Promises Depth and Texture in Imaging: A new technique for low-visibility and thermal imaging—heat-assisted detection and ranging, or HADAR—recaptures texture and depth through darkness, fueling new prospects for machine-sensing.

Policy/Regulation

1. White House Releases Cyber Workforce and Education Plan: The strategy aims to fill critical gaps – over 660,000 jobs, by some estimates – in the US cybersecurity workforce. Government agencies will encourage companies to offer apprenticeships and other on-the-job training, and forge partnerships with businesses on training and education.

2. US Senate Advances Orbital Debris Removal Bill: The legislation would direct NASA to support missions to clean up outer space. However, international cooperation will likely be necessary to reassure other spacefaring states regarding in-orbit spying and sabotage.

3. Congressional Scrutiny of Microsoft Breach Intensifies: Several committees are now investigating alleged Chinese hackers’ exploitation of a vulnerability used to breach US government emails. “Microsoft bears significant responsibility for this new incident,” Senator Ron Wyden wrote in a letter to federal agency heads.

Bookmarks

1. CSET: Mapping Emerging Technologies and their Supply Chains

2. ARS Technica: A Jargon-Free Explanation of how Large Language Models Work

3. RUSI: Can Outer Space Be Kept Free of Armed Conflict?