Unmasking the Dragon's Byte: Exploring Cybersecurity Risks in the China Context

And yes, I believe we have a very, very interesting panel here. I think starting with the title and the topic, unmasking the Dragons by exploring cybersecurity risks in the China context. And I think this is something which is of high interest for, for many organizations because many of you do business in China, with China, and we all know this is a tricky thing, a lot of uncertainty. And I'm, I'm really, really glad that we have a fantastic lineup of panelists here. I'd like to start with Mary, she's executive vice president and senior policy advisor Stevens, which is a bank, an investment bank in the us. Then we have Miles Yu, who is senior fellow and director at the China Center of the Hudson Institute, and a lot of more things, I think all of them. They will probably introduce themselves very shortly or very briefly right after. And then we have last, at least Gary Haron, who is Global CSO at Johnson and Johnson. So three people that all are, so I think we're very knowledgeable about China and cybersecurity context. So welcome to all of you. And yeah, maybe we'll start with a bit more introduction than I did very briefly, as I've said. Maybe again, let's start with Mary and then Miles and then Gary
Wwo. Wonderful. Can you, can you hear me, mark? Yes.
Perfect.
Excellent. Well, thank you for the opportunity to, to be with you today. A as you said, I'm, I'm with Steven's Investment Bank, but prior to this I was the right hand to the Secretary of State and played a, a role along with miles of reorienting our approach to communist China. And prior to that I was based in New York and Hong Kong with the Wall Street Journal editorial board. So while I'm not the China expert that Gary and Miles are, I have a lot of practical experience, so I'll speak to you from that point of view. Just broadly speaking, I think what we've seen is an awakening to the realities of doing business with what is a totalitarian regime with proliferating risks. Certainly the cyber risk is what you're focusing on today, but companies face far, far more risk than that doing business with Beijing. They face legal risk, they face reputational risk.
This is a regime that's committing genocide. They also face physical risk to their people. We had multiple instances of Americans who had been seized and unable to leave the country. And when it comes to cybersecurity, let's be frank, there is no cybersecurity in China because of their legal system, whether it's the counter espionage law or military civil fusion or other quote unquote laws on the books. The reality is that the party does what the party wants. This is not a nation with the government, it's run by a Marxist londonist regime. And they, they want to take your data, they will get your data. Okay, so next one, that's the overview and I'll leave it there. Miles. Miles,
Yeah. Well thank you Martin for having me here. And I think that I, I concur with, with Mary everything we, when we deal with China, we have started with basically three basically understandings about China's reality. Number one, from economic point of view, China is essentially a non-market economy. And that's almost like a global consensus. Despite all this superficial market practices, China economic decision, China's economic mechanism is run by, by a communist party. So it's not market oriented. So which ba number one, number two basically just said China is a communist country. That means the politically, the Poly Bureau decides all the major decisions including economic decisions, also both cyber directions. So Chairman Xi, he's the chairman of everything. Much part of that deals with security and cyber. The number three reality is that China does have a global ambition for dominance, particularly from the perspective of trade economy, crystal critical infrastructure and technology. So those are the three things I think, you know, we have to start with. And I, I want to mention two things. One is, I, I'm thinking know right now the e-commerce, it poses a very serious threat to not just the national security, but also to a large number of American consumers. Amazon, you know, two thirds of Amazon sellers are based in China and the, the Chinese sellers conduct a lot of economic crimes miles on Amazon. Yeah, miles, they write fake reviews.
May I can't stop you. Hundred
Of concrete goods and a lot of things. So, and, and there's still like Amazon's corporate data even. So what now they're gonna try to, to, to, to undermine Amazon by creating the Chinese major giant e-commerce
Platform. Okay. Thank, thank you. Miles here,
Shine
Miles. Maybe we keep the answers in the future a bit more brief. Kindly over to you, Gary. So you come from a sort of less of a political end of things, but more from the sort of economic end of things. So, so maybe you introduce yourself quickly and, and maybe a first in little brief statement and then we go into the questions.
Sure thing.
Martin. So as you said, I'm the currently the global CISO at Johnson and Johnson. I've been in cybersecurity for about 28 years. I was the global CISO at Bayer prior to this in Monsanto before that. Also spent some time at Anheuser-Busch and with the US government early in my career. And, and throughout that 28 years, I've always had operations in China, business in China that we've had to deal with and, and, and work through. And, and I think the most important thing as we heard from the intros is that we go into operating in China, kind of eyes wide open, understanding the risk, but also understanding the opportunity and that there are consumers there that we wanna, we wanna serve and, and bring products and services to. But it's important to understand the landscape, understand the risk of the company, and how best to operate there.
Yeah. So maybe let me follow up with a question to you Gary then, and this is, what are some of the benefits of operating business in China?
Absolutely. I mean the, the first benefit I would say is just the size of the market. There is a large group of consumers, of customers, of patients, of, you know, growers during my time in Monsanto. I mean, there's a, a sheer market size there that is going to be attractive to most companies. I think also there is a lot of innovation happening in China now, you know, for, for various sources. But there is I think a lot of demand for increasing capabilities, whether it be in technology, in healthcare. So there's a lot of business opportunity in the market and you know, I think for companies that are bringing forward, such as Johnson Johnson, we're bringing lifesaving treatments and products forward. There's a set of patients there we wanna serve as well. So I think from the business side, big opportunity, but again, it's very important to understand how to operate there to protect the rest of the global business as well.
Yeah, and I, I think that you, you brought up a couple of interesting points and I'd like to gather the views of the panelists here. A bit of, and one of, one of this is you brought up innovation on one hand. On the other hand, there's the academic exchange for instance as well. There's a lot of companies in across the globe become inquired by China. So, so also IP flowing to China. And I remember a, a friend of mine is, has been the, or has been the founding director of Merricks, which is the MacArthur Institute, Institute of China studies here in Germany. And he told me probably decades ago that every, every Chinese student, which comes to Europe for instance, or to Germany, ha, has a talk with the Chinese Secret service, so to speak ahead of this. So they are not here just for, for studying. So what are your perspectives on this? And again, i I kindly ask for, for very brief answers. Miles, do you want to quickly start and then hand over to Mary?
I think you, you just actually said pretty clearly, China's security apparatus is progressive, so you're absolute right. Every students coming to the west, they have to be briefed by their national security app warning them to comp to have absolute compliance. We have close to 300,000 Chinese students here. Not every one of them is a spy, but they have to, to be compliant with Chinese demands from the State Security Bureau. So that's a, that's a, it's not even a, the potential security risk. It's a real risk already. Okay.
Mary, anything to add here?
Yeah, I talked to, I talked to CEOs and boards and institutional investors across America and across Europe and, and Asia. It's important to say that FDI has turned negative in China, that not every company thinks of China as a great market opportunity. That Motorola actually exited China more than a decade ago because Huawei stole its tech. They came to an agreement and they can't talk about it, but they're not there because you have to look at what China does not at what China says. And when you look at, in particular on the cyber front, there's absolutely no indication that China intends to improve the operating environment for the folks who are attending cyber revolution today. So, you know, what I'm telling clients is, you know, you saw the pullout from Russia that happened within the span of weeks. You have to be prepared for that to happen with China as well.
Okay. And let, let's assume you're, you're continue doing this with China. A lot do, and I think they're good. Like Gary also brought up there, there, there are good reasons to do and there are things we need to be concerned of. And I think at the end we are talking about risk and risk management at the end. I, I I would say it's a risk management thing here to understand the risks so that you, and to be prepared for things to happen so that you can act accordingly. And I, I think the, the first thing is maybe Gary, what measures should businesses take to protect their sensitive data and intellectual property while doing business in China?
Very good question. You know, I think the, the first thing is just understanding what, what market are you trying to serve? So are you developing products in China for China? Are you producing products in China for China or for the rest of the world? And, and being very, I would say purposeful on where you do r and d for certain products and scopes and where you do manufacturing and supply chain activities. I think it's also important to understand the five-year plan, the, the strategy within China, because that also does align fairly well with cyber risk. So understanding your industry and, and the business that you do, what their level of interest is, what their, their partnership perspective is for working with you and, and kind of what the long game is in that industry. I think it's very important to understand that understanding the geopolitical risks, the changing and emerging laws and regulations, especially, it's been, it's very, been very erratic recently in terms of release of cybersecurity regulations, privacy regulations, data localization laws, so understanding all of those, then assessing really what's the business opportunity, how do we put those controls in place to be able to, to serve the market, to take advantage of those opportunities, but also manage the risk of the rest of your global business.
And, and, and a lot of the same cybersecurity controls need to be put in place that need to be put in place elsewhere, but it's really about placement of data and activities and how you understand that.
Yeah. Is it, is it maybe Mary, is it possible to do business in China from your perspective and protect your data?
So I'm the vice chair of a New York stock exchange listed company. We have exposure in China also on a prior board. And our conclusion was, no, you can't, it's a totalitarian regime as Gary has just laid out. They have every power to take whatever it is that they want and, and they will do that. In fact, that's, that's official policy. And so, you know, I I think it's, it's, it's remarkable to see c-suites really approach investing in China with a completely different set of principles than they do any other market in the world. There's no other market in the world where you would sink so much capital in cyber tech where there's no real rule of law, property protections risk to your people where you'd allow communist party officials to sit on your China boards. It just, it wouldn't be done. And so I think there's a real awakening happening.
I think you see it in the data. I mentioned the FDI data and you don't really see this so much, but Steven serves small and medium sized firms and you know, you hear a lot about the Fortune 100 companies staying in China, like the big ones like j and j and Apple, but everything below that, people are getting out and they're diversifying. And I hear it all the time when I talk to companies across America. But one last point, miles, I don't know if you want add to this. I think we talk about the China cyber threat as being simply from operating in China. I think that threat extends into Germany, into your operations at home. It, it's not just the threat within the mainland that you have to worry about. I
Just don't wanna add to Mary what Mary said as much as China's formidable and uninvestible environment. China also has weakness of vulnerabilities as well because China is essentially very critically dependent upon the global free trade system market. So we have leverages and we have not used leverage correctly. That's because in the past, for example, Volkswagen problem precisely just like that, it's a Volkswagen problem. GEs problem in the US with China is just that it's problem. So we have to really use the government sovereign power to negotiate with China. Nothing will, will please China more than they deal with the one company or business separately from the government. Xi Jinping is meeting Biden right now. One of the major demands they have in terms of protocol is Ji wants to meet with all these Silicon Valley tycoons, you know, Elon Musk and all guys first before he meet President Biden White House said no. So we have really to, to, to use the, to combine the business interest with the national interest and that's probably the better way to do it. And otherwise China is never gonna yield, we gotta deal with you one
By one. But, but but isn't, isn't isn't that something which sort of the, the western world can't easily solve. So I, I think at the end of the day, there, there i, from what I observed there, there are two fundamental differences. One is you're, we are dealing many countries with somewhat different in interests, with different targets, with one large player that is very sort of monolithic in the way it acts, the party, et cetera. The other thing is, I think the, a huge difference I observe and, and correct me if I'm wrong, is that in China, but for instance also in in Japan, there's much more long-term strategic thinking than more the tactical thinking we have in, in the western countries. And this makes it probably more difficult than to, to have sort of a well thought out strategy. Mary, what's your point on that?
I mean, we've been propagandized for 40 years, all of these catchphrases, long-term thinking win-win outcomes, this is straight outta the united front. In fact, China's a very short-term thinker. Xi Jinping screws up all of the time, look at the three-year covid lockdown, the guy has a middle school education, but I'm sure no one in your audience knows that. I just wanna return back to the point about where these risks can be found. It's not just in your mainland servers. And Gary, I don't, I don't know if you wanna speak to this, but one company, a major company, fortune 100, told me they had more IP stolen in the Midwestern operations of the United States by people that the CCP had embedded in their company than they did in mainland China because they, they thought that the theft would occur in mainland China and they weren't looking, you know, right in their backyard,
Gary.
Yeah, no, it's, it's a very good point in that, you know, know, we've talked a lot about operations in China and you made this point earlier as well, Mary, the, the risk isn't just with operations in China. And, and this comes back to the importance of understanding strategically how China views your industry, your business, what their interest level is and how you partner. Because it, it doesn't necessarily know boundaries. It's not just in China. It can be a risk outside of China. Even if you pull out of the market, that doesn't mean that there's still not an interest level and a level of risk that you have to manage going forward.
Okay, so we, we have a little bit of time left and I, I'd like to first ask you for a very brief statement on, on what is your most important recommendation to a business that wants to continue doing business in and with China? Very brief statement and like summarize a bit and we ask for questions. So, ma do you wanna start?
Yeah, again, you know, I think that we have to start with the, the heightened awareness of doing business, the risk of doing business with China. And every company obviously has an interest in China because of market share, because of the access to capital. On the other hand, we definitely should have a plan B for every company. Even Apple, I mean have a plan B. Secondly, I say earlier, it's really important to, to have your government to deal with the Chinese government on behalf of business corporations. You cannot deal with it one by one. Okay? The only reason Xi Jinping is here in San Francisco meeting with, with Biden is because for the first time in decades, the US Secretary of Commerce spoke on behalf of American interests as a group and she's in charge of implementation of the sanctions about the extra export control. So that's the reason we, we have deal with that. We tried during the Trump administration, you know, Pompeo ask many people come to dinner and we didn't convince them. Okay,
Mary,
Well I I never tell companies what to do. I just kind of, I give them the framework through which to, to think about these questions. And I think first of all, to Miles's point, be be realistic about the risks that you face and the fact that the trajectory is that they will become more complicated, not less we can look at at, at history and data and, and prove that. Secondly, ask if you're making exceptions, are you really holding true to your ESG for instance rules and your ethics, you know, operating in China or are you making different rules? And, and thirdly, you know, ask the tough question, is it better for you to be a smaller company with a more sustainable business plan exiting China than it is to take your risk for your company, for your employees and your shareholders and your customers to stay invested in. Let's again be honest, this is a totalitarian regime with no rule of law, no property rights that's committed to essentially taking over the free world. I mean, that's what they say. That's not an emotional statement. Not a political statement. That's the reality here. So be realistic about the risk, ask if you're holding true to your company principles and then ask yourself is the the business plan that I've laid out sustainable. Okay. Over to the, near the medium term, Gary?
Yeah, I would just kind of back to some of the earlier statements. I'd be very thoughtful about the approach. Again, have the right, the right insights and understanding of their strategy, how it aligns with your strategy and your business, and have the right expertise and knowledge, whether it be inside or you bring in help outside to inform you on the risk and how you operate in a safe and responsible way, whether you're in country or not in country, I think it's still important to have that understanding.
Yeah, so at the end it's about very proper risk management, which means understanding the risks of operating China or in other countries. It is having the mitigation measures, the plans in place when you need to, to, to act and to be very conscious about these risks. I think this is at the end of the day what you told us about. And so thank you very much for these insights. The, the, also the, the depth of insights in the backgrounds on this because I think it's something which is important. I think it also, one of the points is that we had other talks from other dis perspectives like around misinformation, disinformation, malformation. I think CISOs, for instance, must understand geopolitical impacts now they must take it into the equation because it's not just it anymore. We are looking at there's much more which involves cybersecurity nowadays. Thank you very much for taking the time to be here and for all your insights. Pleasure.
Thank you Martin.
Thank.