Kenny Rogers, China, and the tech business

Few know it, but the great songwriter Kenny Rogers also had a lot to teach the world about cybersecurity.

No. Seriously.

His classic song, “The Gambler,” is not just a story about wagering, it can be read as a parable about cybersecurity and, in today’s lesson, about the perils of doing business in authoritarian nations. The famous chorus begins:

“You got to know when to hold ’em,
Know when to fold ’em,
Know when to walk away,
And know when to run.”

This advice is, or ought to be, salient for anyone operating in China today.

If the story of “The Gambler” is a cautionary tale about risk assessment, risk mitigation, and reading the room, many of America’s largest tech companies have failed to learn the lesson. Rather than folding a losing hand, they are putting more chips into the pot. Seeking the payoff of a large and lucrative Chinese market, they are risking the security of their operating systems and cloud architectures, their own intellectual property and their customers’ data.

It’s a bad bet.

As the U.S.-China Economic and Security Review Commission put it earlier this year: “control[ling] information and data flows is a national security priority for China.”

In service of this goal, the Chinese government is known for its legal adventurism and its willingness to bully foreign companies. It routinely intrudes into the operation of foreign firms, even going so far as to allow the Communist Party to select managers for manufacturing plants located in China.

Likewise, foreign tech companies are facing growing pressure to share sensitive technology. Under the guise of scrutiny for security threats, companies like Apple are increasingly subject to reviews by the Chinese government that target their encryption practices and compel the company to localize its data in Chinese data centers. These “reviews” are viewed by many China experts as a way to extract trade secrets in exchange for market access. And in a worst-case scenario, Chinese hackers might use the information to exploit discovered vulnerabilities. When companies, like Microsoft, share their source code with the Chinese government, the risks can only increase.

Likewise, Chinese law increasingly intrudes directly into the cybersecurity posture of foreign corporations. The law obliges tech companies operating in China to turn over their data and any recognized security vulnerabilities to government authorities, as a condition of continued access to the Chinese market. Again, this creates risks. If China were a benevolent state actor, these risks might be negligible. But increasingly we know that China is not benign. Just look at the Chinese-backed HAFNIUM group targeting the Microsoft Exchange server system to understand the nature of the threat.

Facing these confounding risks, it’s not difficult to imagine American tech companies folding a bad hand. But they haven’t. Instead, most of them have increased their bets — decisions that strike many observers (including me) as unwise.

Consider a few examples.

Microsoft has five data centers in China today and plans to build four more in the coming years, effectively doubling the amount of data stored locally. Amazon Web Services, likewise, operates cloud data centers in China, as it moves to compete with Alibaba.

Similarly, as Klon Kitchen of AEI has noted, many of our largest tech companies maintain artificial intelligence research centers in China. Indeed, more than 10 percent of our AI research by the likes of Facebook and IBM is done there. Microsoft’s Beijing-based Research Asia Lab is the company’s largest outside of the U.S. and is credited as being the “single most important institution in the birth and growth of the Chinese AI ecosystem over the past two decades.”

Not all companies have ignored the risk. After initially approaching China, Google has abandoned the country almost completely. The company opened an AI research center in China in 2017 but quickly closed it two years later. And although the company continues to sell ads in China, it has no data centers in mainland China and doesn’t market or sell cloud services there. Perhaps most saliently, its core consumer products — Google Search, Google Workspace, Google Play, YouTube and others — are not offered on mainland China.

What’s the better answer? Given the risks of conducting business in China, American tech companies face a stark choice. Either they stay at the table and push more chips into the pot — or they decide to fold their hands and walk (or even run) away from China. “The Gambler’s” chorus continues with these lines:

“You never count your money
When you’re sittin’ at the table…”

Some U.S. tech giants are still at the table, counting their profits. Kenny Rogers would tell them that they’re making a mistake.

Paul Rosenzweig is the Founder of Red Branch Consulting, a homeland security and cybersecurity consulting firm. He previously served as deputy assistant secretary for policy at the Department of Homeland Security. Red Branch Consulting has present and former clients with interests in cybersecurity issues and the economics of IT systems adoption. The opinions expressed are exclusively those of the author.