Microsoft recently invited up to 800 of its employees presently living and working in China to relocate to other countries. The move is a corporate recognition of the rising tensions amidst a tech race between China and the United States.
Of concern to the U.S. is China’s ability to develop advanced generative artificial intelligence (AI) assessed to be stolen from Microsoft engineers through corporate espionage and threats of intimidation. Undoubtedly, there are even more genuine reasons for concern.
Microsoft has had a large, and until recently, growing presence in China for over two decades. Presently, Microsoft employs almost 5,000 people in China, 80% of which are software engineers. These hard-working folks innovate and create the source code for products used widely by the U.S. government, including Office, Exchange, Teams, Windows, and Azure. The company operates six data centers throughout China.
As the Wall Street Journal has reported, “[F]or decades, the Redmond, Wash.-based tech juggernaut has stood out among U.S. tech companies for its large footprint and close relationship with China… Over the years, Microsoft, whose offerings range from business software to videogames, has also built up a sizable research-and-development team in China focused on cloud computing and AI.”
While a smart business decision on the face of it, this large footprint has a downside: it poses a serious national security risk for the U.S. government. China’s 2016 National Cybersecurity Law requires technology companies operating in that country to store Chinese user data on mainland servers and to provide the government with access to source code, encryption keys, and backdoor access.
This isn’t the first time that Microsoft was required by law to provide sensitive information to the Chinese government. It already provided source code through one of five China-based Microsoft Transparency Centers. And as far back as 2003, Microsoft allowed China to review source code for its Windows operating system. Who needs to claim corporate espionage when “legitimized” theft is tolerated by Microsoft and endorsed by Chinese government actions?
This situation is precisely as bad as you think it is.
In April, the Department of Homeland Security’s Cyber Safety Review Board issued a report that blasted Microsoft for what it described as “shoddy cybersecurity practices, lax corporate culture, and deliberate lack of transparency” in the wake of a hack by Chinese state actors of U.S. government officials’ email accounts, including that of Commerce Secretary Gina Raimondo.
By providing Chinese state regulators with advance notice of vulnerabilities before notifying customers or U.S. authorities, as mandated under Chinese law, Microsoft has negligently, and perhaps willingly, facilitated cyberattacks on U.S. government systems. On Oct. 6, 2022, an interagency advisory from the Cybersecurity and Infrastructure Agency, National Security Agency, and FBI, highlighted that 20% of the top Common Vulnerabilities and Exposures (CVEs) exploited by the People’s Republic of China since 2020 were found in Microsoft systems.
Furthermore, the security products that Microsoft sells in China, such as Sentinel, Defender, Synapse, and Azure Firewall, are the same products used to protect U.S. homeland systems, yet they are also subject to China’s National Cybersecurity Law, increasing their susceptibility to thousands of intrusions and cyber-attacks by China.
This strategic vulnerability is not limited to just national security. Microsoft’s close relationship with the Chinese government placed it in the crosshairs of human rights abuses. The U.S. Department of Commerce, for example, cited Microsoft as supporting the “mass arbitrary detention, forced labor, involuntary collection of biometric data and genetic analysis” targeted at Uighurs and other minority groups.
Microsoft has also been accused by the U.S. Senate of being “complicit” in China’s human rights abuses after the firm’s staff colluded with a Chinese university on artificial intelligence research. And Microsoft’s compliance with Chinese censorship laws means that Chinese citizens have no access to information on protests and critics of the Chinese government.
Microsoft has been tight-lipped about its offer to move a few hundred employees out of China, but most observers believe it is a gesture to concerned American policymakers that the company is taking the Cyber Safety Review Board’s criticisms seriously. Actions are stronger than words. Microsoft must do more than cosmetic posturing. It must demonstrate a willingness to walk away from a government that we know uses its products to spy on American officials and undermine our national security interests.
Join the conversation as a VIP Member