Why You Shouldn’t Host Sensitive Business Meetings in Hotels with Chinese Ownership
Several years ago, a Chinese firm bought the Waldorf-Astoria hotel in New York City, which historically played host to sensitive business and government meetings. Soon thereafter, President Obama and the U.S. State Department stopped using the Waldorf for these types of meetings.
“For a long time, China has been known to bug hotel rooms domestically,” Evan Anderson said to the group of technologists, security experts and business execs gathered at a Future in Review 2016 breakout session Wednesday afternoon. He was there to discuss his research on INVNT/IP’s Project Bedbug, an initiative to track the ownership of U.S.-based hotels by Chinese firms.
Anderson is the author of Theft Nation, a report detailing nation-sponsored theft of intellectual property by the Chinese government and government-sponsored Chinese firms. Theft Nation was featured in what would become the most-watched investigative 60 Minutes episode in the show’s history. (Full disclosure: He’s also my brother.)
On Wednesday afternoon, he reiterated China’s extensive recent history of bugging hotel rooms within its own borders to intercept and steal international IP. Due to instability in the Chinese economy, Chinese citizens have begun moving assets out of the Yuan and into U.S.-based real estate and other investments. Many of those are U.S.-based hotels, which Anderson is cataloguing in a list as part of his work with INVNT/IP.
“There are thousands of hotels owned by the Chinese government or government-affiliated firms worldwide,” Anderson said.
He noted that once Chinese government and nation-sponsored firms purchase these hotel properties, they often remodel and update hotel IT systems, creating a convenient opportunity to install Chinese-owned IT. These systems often come with backdoors operated by the Chinese companies that produce it.
“I wouldn’t host a major meeting at a location owned by the Chinese government or its affiliates,” Anderson said.
One small business owner who regularly conducts business in China talked about his own experience trying to avoid theft of his IP.
“You’re talking about a country that spends more on internal security than it does on its own military,” he said. “I run a technology company and I don’t have problems in any other countries.”
He spoke of his frustrations with finding recourse to his company’s troubles.
“We’ve gone to the FBI, we’ve gone to local authorities, and there doesn’t seem to be a good forum other than you guys for helping people like me out,” he said.
“You are going to be breached. It is going to happen,” said an executive of a major international firm. “We spend the most effort remediating.”
Businesses at the session also shared best practices for operating securely in China — using strategies like Virtual Private Networks and sandboxing to isolate risk, not buying any hardware in China and many others. They noted that even Chinese tax reporting software is bugged and should be operated on a siloed machine not connected to any company networks.
One business executive talked about watching devices purchased in China sending data back to Chinese servers through his company’s firewall.
“We can turn devices on and they start talking,” he said.
“You’re in the lion’s den, so it’s not ever going to be bulletproof,” noted one attendee.
There are legal protections against bugging and wiretapping, but many nations have laws protecting foreign sovereignty that make it very difficult to prosecute internationally. What penalties do exist are tiny in the grand scope of things.
“It’s like $5 million,” explained one security expert. “Who cares?”
A major point of discussion was what to do about nation-sponsored theft. Any counter-effort will require major security efforts on the part of U.S. firms, along with a concerted national policy approach.
One security expert talked about watching huge U.S. companies with Chinese business interests like Facebook lobbying for positions that would actually contribute to China’s nation-sponsored theft. Strangely enough, because these positions would improve these companies’ ability to do business in China and therefore the short-term financial outlook for their shareholders, these companies actually have a fiduciary responsibility to pursue these policies.
The government, the expert said, needs to take action that provides a legal backstop for these companies and releases them from certain fiduciary responsibilities when it would endanger the long-term viability of their business or U.S. IP as a whole.
Even beyond the theft of corporate IP, a large number of students of Chinese nationality have been recruited into IP theft from public research universities. Research universities around the country are increasing their enrollment of international students to cover costs, creating a short-term trade of financial benefit for long-term risk. Experts gathered at Future in Review noted that these practices are giving Chinese-sponsored firms even earlier access, by a factor of 5–10 years, to budding U.S. IP.
