KSG Executive Brief
June 2, 2023
Insight: Data Security Precautions Given China Raid-Risk
What data security measures are prudent to address raid risk in China? (From a recent professional services client with large presence in mainland China)
KSG Advisory Approach
Strategic Context: Recent revision of China’s Counterespionage law increased scope to “state secrets and national interests”. Under this broad ambit, the Ministry of State Security has conducted unannounced raids on western consulting and expert advisory firms, interviewing staff and seizing company devices.
Identify Risk Mitigations: Assess specific local operational risk profile (clients, partners, JVs, etc.), identify in-country staff data accesses, validate endpoint controls, and review device management policies.
Proactive preparation beats reactive separation: Companies should work now to ensure data and access is properly localized to support in-country operations, with robust security controls to monitor and control network activity.
Consider segmentation and separation models: Enterprise architecture should reflect business needs and operational requirements while enforcing reliable controls over sensitive data and IP.
Actions to Avoid: Do not plan to reactively wipe devices or exfiltrate local data out of the country during or after a raid, as this will expose local staff to increasing scrutiny and potential detention.
For more information on this issue, please reach out to email@example.com.
Forwarded this ExecBrief by a friend? Click below to sign up for our weekly dispatch.
EU, US Discuss Aligning Investment Controls With Eye on China: Outbound investment screening is the topic du jour in DC and Brussels, though joint action is likely to remain narrowly focused on limiting investment and “know-how” flows to China on strategic technologies like AI, quantum, and wireless telecoms. Competition between US and EU subsidies may hold back unified policies on broader semiconductor and next generation energy restrictions.
How the US is deepening military alliances in China’s backyard: US efforts to bolster the Indo-Pacific security architecture are making progress with Japanese defense announcements and expanded US basing access across the Philippines, Australia, Papua New Guinea, and the Freely Associated States. But these agreements, and slow efforts to improve tactical interoperability, are a long way from joint war planning and exercises.
International Atomic Energy Agency presents plan to protect Russia-occupied nuclear plant in Ukraine: Director General Rafael Grossi offered five principles, discussed with both Moscow and Kyiv, to prevent a catastrophe stemming from attacks on fuel storage, critical infrastructure, or personnel. The plant—Europe’s largest—has been occupied by Russian troops since March 4.
DoD sends new cyber strategy, informed by Russian invasion, to Congress: Mostly classified, we draw attention to this item from the DoD fact sheet: “The People’s Republic of China (PRC) represents the Department’s pacing challenge in the cyber domain. The PRC has made significant investments in military cyber capabilities and empowered a number of proxy organizations to pursue malicious cyber activities against the United States.” DoD committed to use cyber capabilities in support of “integrated deterrence”, including “hunt forward” operations.
Russia's Federal Security Service (FSB) accuses US intelligence of hacking “thousands of Apple iPhones” with help from the company: Kaspersky Labs analysts could not fully confirm the allegation, while Apple vehemently denied ever collaborating with any government on “backdoors” into its products.
Netherlands brace for Chinese cyberespionage after introducing export curbs on chips: The foreign ministry echoed the Dutch intelligence service’s concerns over the “massive threat” of Chinese intellectual property theft, particularly after the Hague joined the US and Japan in shutting off the supply of advanced technologies to Beijing.
Strategic and Emerging Technology
AI supercomputer targets antibiotic-resistant superbug: US and Canadian scientists drew on “deep learning” to identify chemical compound that eradicates acinetobacter baumannii, a longtime scourge of hospitals globally. The process could also speed the discovery of treatments for other potentially fatal diseases.
Sustainable jet fuel startup CleanJoule raises $50 million from investor group including three airlines. The successful round is the latest indicator that biofuels are viewed as a potentially viable alternative to petroleum-based aviation fuels.
EU to discuss AI rules with OpenAI CEO in June: They will discuss how OpenAI will enforce the EU’s proposed AI ACT regulations after Altman threatened to quit Europe if the rules are too onerous—this comes on the heels of Alphabet’s CEO suggesting a voluntary AI pact for tech giants to form ahead of the 2026 legal deadline. The speed of progress is forcing government and tech CEOs into uncomfortable positions where cross-border rule setting is intensely fraught.
US Federal Trade Commission and Department of Justice accuse Amazon of violating children’s privacy law: Company retained voice recordings and geolocation of minors, despite parental requests for deletion. Authorities sought restitution of $5.8 million to Alexa and Ring users, and a $25 million fine.
EU Raises Alarm Over Demands to Store Trade Secrets on Computers in China: The PRC is phasing in new rules that require cosmetic firms to store the lists of ingredients, processes for production, and sourcing documentation for the company’s products on servers in China. Without a specific requirement that the information be divulged to regulators, demanding that they store the information on PRC computers without a clear business case is concerning.