China's Data War Against the U.S.
In the digital realm, the CCP is using a strategy of unrestricted warfare to attack a largely unaware American populace.
China has long been accused of hacking into the computer systems of U.S. government agencies, private companies, and academic institutions to steal sensitive information and intellectual property. Stories reporting such activities have become so commonplace today that we barely even notice them.
In 2022, the U.S. Department of Justice indicted four Chinese nationals for allegedly conducting a massive cyberattack campaign that targeted dozens of entities in various sectors, including aviation, defense, education, government, health care, biopharmaceutical, and maritime. The hackers were said to have exploited vulnerabilities in software products and used malicious code to access and exfiltrate data from the victims’ networks. Data stolen included millions of Americans’ personal information, U.S. companies’ trade secrets, and research data on emerging technologies such as AI and biotechnology. The U.S. government said that the hackers were working for the Ministry of State Security, China’s intelligence and security agency, and that their activities posed a significant threat to the national security and economic interests of the United States and its allies.
Are all of these activities related to an understandable attempt by China to further its economic development—or could something more be going on? Could we be at war without knowing it?
In the words of U.S. policymakers, the United States is engaged in a global strategic competition with China. Yet, considering the actions of the Chinese Communist Party's leaders, they clearly view themselves at war with the United States. China is using data exploitation and technology in the same way that one might use weapons in the field of battle, seeking to achieve strategic goals and undermine its opponent’s will and capacity to resist.
The CCP's definition of war goes beyond the conventional military realm. It encompasses a broad spectrum of domains, methods, and actors that aim to undermine the enemy’s political, economic, and social stability. Qiao Liang and Wang Xiangsui, two Chinese colonels, articulated the concept of “unrestricted warfare” in a 1999 book that explored how China could defeat a technologically superior opponent like the United States. The authors argued that China should use “a combination of all means, including . . . military and non-military, and lethal and non-lethal means to compel the enemy to accept one’s interests.” And so the CCP has done, through cyberattacks, espionage, disinformation campaigns, intellectual property theft, economic coercion, and other forms of hybrid warfare against its rivals and adversaries.
Despite Xi Jinping’s public pronouncements of being a champion of world peace, development, and order, he has spearheaded China’s escalation of “unrestricted warfare” against the United States and its allies. The People’s Liberation Army has not only increased its conventional activities that threaten regional stability, but also has employed unconventional means such as economic, political, legal, cultural, and biological warfare to undermine American interests and influence. Xi Jinping’s rhetoric and actions are thus in stark contrast, with the latter revealing his true intentions of challenging the U.S.-led international system and seeking hegemony in the Indo-Pacific and beyond.
Information Is a Battlefield
One of the most critical elements of unrestricted warfare is the use of information as a weapon. As Qiao and Wang state in their book, “Information warfare is the primary form of warfare in the age of information.” They propose various scenarios and tactics for using information to disrupt, deceive, influence, and coerce the enemy, and in particular to target its political, military, economic, and information infrastructures. They note,
As we see it, a single man-made stock-market crash, a single computer virus invasion, or a single rumor or scandal that results in a fluctuation in the enemy country’s exchange rates or exposes the leaders of an enemy country on the Internet, all can be included in the ranks of new-concept weapons.
We are seeing this weaponization of information today. Since the publication of this book over twenty years ago, China’s definition of warfare has expanded via new technologies and capabilities. It has invested heavily in cyber, space, and electromagnetic capabilities and in artificial intelligence, big data, and quantum computing. It now possesses one of the world’s most powerful artificial intelligence programs, allowing the development of advanced data weapons such as deepfakes, bots, and autonomous weapons.
With regard to economic warfare, for decades China has systematically stolen valuable U.S. intellectual property, trade secrets, and human talent for its own economic, political, and military benefit. While in past years this might have been done by human intelligence assets including traditional human assets as well as nontraditional efforts such as the Thousand Talents Program, Chinese tactics have evolved such that it now uses generative AI systems and other social engineering techniques to acquire U.S. technology and know-how, such as cyber theft, industrial spying, academic infiltration, joint ventures, mergers and acquisitions, and talent recruitment programs. In the last year, Chinese economic espionage has cost the United States between $20 billion and $30 billion, eroding the country’s competitive edge.
China’s Data War
The CCP's multidimensional war against the United States undermines the competitiveness and sovereignty of U.S. companies and the security of individual Americans. One way the Chinese government achieves this is by imposing laws that give the country more control over data within and beyond its borders. For example, China's Data Security Law (DSL) classifies data based on its importance to the country's national security, and regulates its storage and transfer accordingly. The Data Security Law also applies to data outside China if it affects China’s national security or public interest. This will eventually create conflicts of laws and compliance challenges for U.S. companies that operate in China or have data related to China–a common occurrence these days. For example, U.S. companies may have to comply with both the Data Security Law and the U.S. laws that regulate data security and cross-border data transfers, such as the CLOUD Act or the Foreign Intelligence Surveillance Act. These laws may have different or contradictory requirements, forcing U.S. corporations to choose between supporting U.S. laws or chasing the financial incentive connected to following Chinese laws.
The Data Security Law also limits U.S. companies' and individuals' access and control over their data stored in China or related to China. The law's lack of distinction between “important data” or “national core data” means that the Chinese government maintains broad discretion to access and use data for national security or public interest purposes. This provision will make it difficult for U.S. companies and individuals to access or delete their data in China or to seek legal recourse in case of data breaches or misuse.
Another way that China is violating American data privacy is by launching cyberattacks and espionage against U.S. targets. These attacks expose American data to potential surveillance, theft, or misuse by Chinese authorities or actors. For example, China was behind the Office of Personnel Management breach in 2015, the Equifax breach in 2017, and the SolarWinds hack in 2020. China’s data laws may give it more access to and leverage over American data stored or processed in China and involving Chinese residents or interests. To counter this violation, the U.S. government should enhance its cybersecurity capabilities, strengthen critical infrastructure protection, and impose sanctions and deterrents against malicious cyber actors.
A third way China violates American data privacy is by manipulating public opinion to polarize Americans in an effort to undermine social cohesion and democratic values. China has used social media bots, trolls, fake news websites, and state-controlled media to spread disinformation, sow discord, and target individuals. China’s data exploitation likely enables it to do all of this more effectively and efficiently. The U.S. government should more aggressively counter China’s information warfare by supporting independent and credible journalism, investing in civic education, and promoting organizations that foster civil public dialogue.
China is not playing fair in the digital world. It uses a strategy of unrestricted warfare to fight an unaware American populace, using any means necessary to undermine American democracy at home and U.S. influence abroad. The U.S. government should take a comprehensive and coordinated approach to counter China’s information warfare. Protecting the data privacy of U.S. companies and American citizens from China’s violations is a matter of pressing national security—and, indeed, of survival.
Shane McNeil has held various roles within the U.S. intelligence community, including in the military, as a contractor, and as a government civilian. At the Defense Intelligence Agency (DIA), he served as an agent, analyst, and a senior instructor for the Joint Counterintelligence Training Activity. The views expressed in this article belong solely to the author.
Image: Chairman of the CCP Xi Jinping speaks at the United Nations Office in Geneva, January 18, 2017. (UN Geneva)