The Impact of China-Linked Contractors on U.S. Security

The U.S. House of Representatives recently passed a bill that would force TikTok’s Chinese owner to either sell the video app or have it banned in the United States.

Although there is a debate over the details and approach of the law itself, the bill represents growing concerns over just how far the tentacles of Chinese spying reach.

Indeed, these tentacles are expanding well beyond TikTok through the complex and expanding sea of international economic cooperation, advancing technologies and intelligence gathering methods, intensive military integration with foreign partners, and the role of independent firms with valuable information. As a result, significant risks to U.S. intelligence have been identified in foreign bases where U.S. military technologies are used, at home through critical threats to U.S. infrastructure and technologies, and, most recently, through U.S. contracting firms with links to the People’s Republic of China (PRC).

PRC Military and Infrastructure Expansion

Over the past decade, the U.S. government has become more and more attentive to the threats posed by the Chinese Communist Party’s (CCP) extension of its technology and infrastructure across the world, particularly as the PRC has proliferated its Belt and Road Initiative (BRI) into states that are security partners with the U.S. At the same time, the Biden administration continues to implement its National Security Strategy of ‘integrated deterrence’ against China and is building deeper security relationships with global partners. Many of these partner states are adopting PRC technologies, military infrastructure, and civilian infrastructure, which the government believes present risks to U.S. intelligence and security. 

The U.S. Department of Defense (DOD), for example, has stated that the use of PRC Fifth Generation (5G) technologies by U.S. allies would “create security risks for DOD operations overseas that rely on networks with Chinese components in the supply chain.” Similarly, regarding CCP military equipment, General Michael Erik Kurilla stated in a U.S. Senate Armed Services Committee Hearing on USCENTCOM that the CCP’s expanding sales of arms and equipment in the region complicates partnership and cooperation with U.S. forces, noting, ‘...if there is Chinese equipment there, we are not going to be able to integrate it with U.S. equipment.’ PRC military infrastructure projects, such as ports and military bases, also raise red flags for U.S. security cooperation. 

As a result, both the Biden and Trump administrations have attempted to sanction the use of certain PRC technologies and infrastructure by U.S. partners that pose intelligence and security hazards. For example, the U.S. Central Intelligence Agency raised concerns about major Chinese investment in Israel, in particular the Haifa port, and eventually led the Israeli navy to take special actions to protect its platforms from spying. In 2021, CIA Director Bill Burns told Prime Minister Naftali Bennett the U.S. was concerned about Chinese investments in Israel, particularly in the tech sector and on major infrastructure projects, and pushed for the creation of an Israeli advisory mechanism to address the national security aspects of foreign investment (the Advisory Committee for National Security Affairs in Foreign Investment). The government has even pressured Britain to divest from Huawei in its 5G networks, in part to protect U.S. personnel and proprietary defense information in future deployments to British bases, and has resisted arms cooperation between U.S. allies and China and Russia.

PRC Hacking and Threats to U.S. Infrastructure

Security and intelligence vulnerabilities are also continuing to emerge at home. In 2023, Microsoft disclosed that a China-based hacking group, which they call “Storm- 0558,” is focused on “gaining access to email systems for intelligence collection” and has breached an unidentified number of email accounts linked to around 25 organizations, including some related to individual consumer accounts and government agencies in Western Europe and the U.S. More recently, U.S. officials and industry security officials told The Washington Post that the Chinese military is ramping up its ability to disrupt key American infrastructure, including power and water utilities as well as communications and transportation systems by burrowing into the computer systems of these entities.

Earlier this year, the U.S. and international cybersecurity authorities issued a joint Cybersecurity Advisory (CSA) following the discovery of a cluster of activity of interest associated with a PRC state-sponsored cyber actor, Volt Typhoon. Volt Typhoon, which has traditionally focused on espionage and information gathering, has been developing capabilities that could disrupt critical infrastructure in areas that include communications, manufacturing, utilities, transportation, construction, maritime, government, information technology, and education. According to the Executive Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), Brandon Wales: 

It is very clear that Chinese attempts to compromise critical infrastructure are in part to pre-position themselves to be able to disrupt or destroy that critical infrastructure in the event of a conflict, to either prevent the United States from being able to project power into Asia or to cause societal chaos inside the United States–to affect our decision-making around a crisis.

Security Risks from US Contractors in China

U.S. officials are also becoming increasingly unsettled over some of America’s defense contractors’ proximity to China. Earlier this year, the chairman of the Homeland Security and Governmental Affairs Committee called for a probe into federal contracts involving private consulting companies that work for both the U.S. government and the Chinese government (and PRC state-run firms) and warned of the potential for major national security risks. In a letter to the U.S. Government Accountability Office (GAO), the Committee cautions:

In some instances, consulting firms have supported entities directly tied to the Chinese government, including by building artificial islands to position missiles, fighters, and bombers in the South China Sea, and participating in exercises for an amphibious assault on Taiwan. We are concerned that the provision of such services simultaneously could create conflicts of interest that threaten American national security and undermine U.S. foreign policy.

Indeed, many U.S. companies that operate in China pay a heavy price in terms of national security. The CCP aggressively monitors foreign firms and forces them to abide by Chinese rules. These firms may also become vulnerable to subversion while in the country. As a result, some experts forewarn that Chinese intelligence officers are stealing their trade secrets and extracting their data. 

The CCP also enacts laws that actively facilitate espionage against foreign companies. China’s National Intelligence Law, for example, declares that “any organization and citizen shall, in accordance with the law, support, provide assistance, and cooperate in national intelligence work, and guard the secrecy of any national intelligence work that they are aware of.” Some analysts interpret this law as requiring Chinese companies to cooperate with intelligence services, including compelling the installation of backdoors to provide private data to the government. Hence, U.S. military consulting firms working with PRC companies may be at risk for exposure. 

Another CCP law requires, among other things, that technology companies that discover or learn of a hackable flaw in their products must share information about it within two days with the PRC’s Ministry of Industry and Information Technology. The Ministry then enters the flaw into the PRC’s Cybersecurity Threat and Vulnerability Information Sharing Platform, or National Vulnerability Database. The data is then shared with several other government bodies, including China’s National Computer Network Emergency Response Technical Teams/Coordination Center, or CNCERT/CC, which, in turn, makes the information available to technology "partners" that include Chinese organizations devoted to exploiting these vulnerabilities. 

One such partner, the Beijing bureau of China's Ministry of State Security, has been identified by the White House, the Department of Justice, the United Kingdom, the EU, NATO, and governments from Japan to Norway as being responsible for many of the PRC’s most aggressive state-sponsored hacking operations in recent years and for other spying and cyber-crimes and attacks. CNCERT/CC information is also shared with Shanghai Jiaotong University and the security firm Beijing Topsec, both of which have a history of lending their cooperation to hacking campaigns carried out by China's People’s Liberation Army (PLA).

Despite these security concerns, the federal government–including its key defense agencies–continues to allow its contractors to work closely with the Chinese government. For example, the Departments of Defense and Homeland Security awarded SAP Concur, a cloud-based company that provides travel and expense management software, and its subsidiary, a contract despite the organization having offices in Beijing, Shanghai, and Guangzhou. The company also works with several Chinese companies including Alibaba, Tencent, and Baidu that, according to China’s National Intelligence Law, are required to support and assist the CCP and the PLA. SAP Concur also stores its China service data in China. 

U.S. Procurement of PRC Equipment

Susceptibilities also occur through the government purchases of foreign equipment. Surprisingly, the U.S. government is still purchasing some Chinese-made drones from DJI, a leading PRC drone manufacturer which has been labeled a Chinese military company in 2022 by the Department of Defense and receives financing from four investment bodies owned or administered by the Chinese government, including one tied to the People’s Liberation Army. Although there has been progress, such as the banning of “foreign-made unmanned aircraft systems” under the National Defense Authorization Act for Fiscal Year 2023, purchases are allowed for civilian federal agencies, such as the U.S. Secret Service and the Department of the Interior, as well as many state and local governments. 

In conclusion, threats to intelligence and security are continually evolve as technology and methods advance and geopolitics change. In recent years, the U.S. Department of Defense has identified many of these new potential intelligence breaches and security vulnerabilities posed by CCP technologies, infrastructure, and firms in foreign countries in which the U.S. maintains security cooperation. However, there is a greater need to address these vulnerabilities at home, many of which are exploited through activities nested in the private sector, U.S. contracting firms, and government institutions. As a result, it is critical that the government adapt information security and cybersecurity to this increasingly intricate environment and apply greater scrutiny and standards to governmental relations with the private sector. 

Dr. C. Alexander Ohlers is a Visiting Fellow at the University of Tennessee where he teaches international affairs and politics. He is an expert analyst in international security, geopolitics, and international economics and development and is a former Senior Analyst for the U.S. Department of State in the Middle East. 

Image: Pixabay / Pixabay License

If you experience technical problems, please write to