Secretary of Commerce Gina Raimondo made American policy clear this week when discussing the role major technology companies have to play in the United States’ strategic competition with China.
“When it comes to emerging technology,” she said, “you cannot be both in China’s camp and our camp.”
Those are powerful words as the secretary’s agency seeks comments on a proposed Know-Your-Customer, or KYC, rule designed to keep valuable U.S. technology out of the hands of countries like China and Russia. In that spirit, one critical concern should be closing a significant loophole in the proposed rule that would allow some of the U.S. government’s largest cloud service providers to continue pursuing profits in China at the risk of compromising U.S. national security.
Commerce’s proposed rule would require U.S. cloud companies to identify and disclose instances where “foreign malicious actors” might use their products and services to undermine national security. It would also authorize the U.S. government to audit companies’ processes and procedures in these instances and recommend/enforce remediation measures to prevent future issues.
Where the Commerce rule falls short is the exemption of independent subsidiaries that operate as overseas arms of U.S. companies. Even if the proposed rule compels Microsoft or Amazon to proactively shrink their operations in China to avoid long, drawn out audits, their de-facto foreign subsidiaries will allow them to continue profiting off the sale of products and services to the Chinese government. The KYC rule may paradoxically help the Chinese by making it harder for the U.S. government to know the details of some U.S. cloud providers’ customers and operations in China. This omission is not consistent with the overall goal of the KYC rule to enhance national security .
Companies have faced few repercussions for allowing China and other adversaries to use their advanced technologies to undermine U.S. interests. That’s despite mounting criticism in Washington –While the proposed rule aims to address these risks, it can’t be truly effective unless it scrutinizes the murky relationships U.S. cloud companies enter into with foreign-owned companies.
One example is 21Vianet which serves China’s government, enables its military, and aids and abets its oppressive surveillance regime. 21Vianet, is a Chinese company operated by the holding company VNET Group, Inc., and is the exclusiveoperator of Microsoft’s cloud computing platforms in China. 21Vianet brought Microsoft’s Azure cloud platform to China and has expanded its services to the Chinese government, operating as a Microsoft subsidiary in virtually every function but its name.
Amazon operates similar partnerships, including with Ningxia Western Cloud Data Technology Co., which is partially state-owned. Through the company, AWS delivers cloud services for Chinese state and defense agencies, yet another example of a China-based company that exists only to sell the products of a single U.S. tech company and operates almost entirely at the direction of its U.S. tech “partner.”
Despite their vast presence and robust partner networks in China, U.S. cloud companies are all too aware of – and public about – the risks that China and our other adversaries pose to U.S. national security. And the technology being marketed by U.S. companies in China is enabling the country to attack U.S. interests.
Recently, Microsoft disclosed that it has caught China, Russia and Iran using its AI tools to hone malicious hacking campaigns and warned that China may use its AI technology to influence the 2024 election. Both Microsoft and Amazonhave repeatedly warned about increasing sophistication of hackers from the likes of Russia and China.
Last year, the American Security Project released a report detailing the sprawling web of exclusive, independent partners and affiliates that Microsoft, Amazon, other U.S. companies like Oracle, use to sell their products in mainland China, including to the Chinese government and its military.
The structures of these arrangements are intentionally murky, strategically employed by the companies to avoid U.S. regulations while complying with China’s increasingly stringent laws governing foreign-owned companies. The partners – de-facto Microsoft and Amazon subsidiaries – are prone to cyber intrusion because of source code and vulnerability disclosure requirements and compliance with arbitrary “state secrets” laws that are known to have compromised the U.S. government’s data security.
The proposed KYC rule seeks to directly address such issues by stopping adversaries from getting their hands on advanced U.S. cloud and AI technologies. Regulators cannot miss this opportunity to compel Microsoft, Amazon and their peers to prioritize U.S. interests instead of chasing profits with our adversaries. If not now, when? We must act before it’s too late.
Paul Rosenzweig is the founder of Red Branch Consulting PLLC, a homeland security and cybersecurity consulting company, and a Senior Advisor to The Chertoff Group. Mr. Rosenzweig formerly served as Deputy Assistant Secretary for Policy in the Department of Homeland Security. He is currently a Professorial Lecturer in Law at George Washington University, and a Senior Fellow in the Tech, Law & Security Program at the American University, Washington College of Law.