Fortifying the Stolen – China’s New Export Control Law

After massive and global espionage, China has embarked on a ‘Export Control Regime” and rightly so, they know the best loopholes in protecting their (Stolen) IP. It took the developing world a whopping century or over to arrive technological maturity where we are. I can’t believe, how China has achieved a global competitive excellence in 30 years.

Of course, we all know the espionage and IP violations that have been underway in building a parallel economy. The new Chinese Export Control Laws are a validation of collective act over the last few decades. This blogs goes into the details of the law as well as the rationale and spirit behind the law. (Blog runs in 1100 words, reading time 4-5 minutes). References are cited at the end of the blog.

Fortifying the Stolen

A thieve knows best how to solve a riddle of a theft. That’s an age-old saying. In Cybersecurity, while designing a solution for the enterprises, I always recommend building a design on the principles of anticipating intrusions and attacks and fortifying the design. 

After indulging in massive intellectual thefts and global espionage China is well aware of weaknesses and the modus operandi. For those who are not aware, let me cite a recent example of a Chinese student at Duke University, who stole her professor’s research and started a company (product business) in China. She is not alone. The US and the western world is inundated with such stories. Even the most secretly developed weapons by the US are part of the espionage. If you recollect, the US and India to have suspended or removed the Chinese Philosophical Centers, Confucius Center after finding out that those are indulging in espionage and intellectual theft. It is said that China has over 50 million workers overseas who regularly send pirated information. Ideally, if I have to learn cybersecurity, I should avoid Lockheed Martin’s “Kill Chain” and focus on the ‘mechanism of Chinese gargantuan machinery of IP theft protection’, aka Chinese Export Control Laws cited below. It offers several Confusion (deep and reflective) thinking on the nature of the future defense. The world has a lot to learn as well are significantly lagging behind. 

On October 17, 2020, China passed a law restricting the exports of sensitive items based on national security grounds, and the law emboldens China to take countermeasures against any country or region that abuses export-control measures and poses a threat to their national security and interests. Each of these words are full of interpretations and an imminent threat to any country. All China has to do is establish a reason, and in their political culture, it is not difficult to concoct a case. If I guess rightly, even this blog is subject to Chinese national security. 

The Huawei Rejection

Why was Huawei’s 5G rejected by the advanced world? The core reason being it would have given unfettered access to their network defense and collective defense, in addition, it would have created a threat to almost all electronic data flow (that includes cell phone data too). The new Chinese regulations could prove similar to US export controls on strategic technologies. Those controls, covering military equipment, some encryption technologies, and some dual-use products, have long irked China. Chinese negotiators have often claimed that their trade surplus could be trimmed if the US would relax controls on high-tech goods.

Technologies within the Ambit

A total of 17 industrial sectors fall within the ambit of Chinese Export Control Law. The focus is primarily on technologies of strategic and commercial significance such as:

  1. Pharmaceutical and biotechnology manufacturing including technologies required for the development of vaccines;
  2. 2. Technology relating to the development, testing, and maintenance of machine tools;
  3. ‘strategic’ new product design technology for heavy machinery;
  4. Unmanned aerial vehicle technology
  5. Speech synthesis technology;
  6. Artificial intelligence interaction and interface technology;
  7. Voice evaluation technology;
  8. Personalized information push service technology based on data analysis techniques;
  9. Cryptographic chip design and implementation technology; and
  10. Quantum encryption technology

What would China bind the technology statutory regulations? According to William Marshall, an authority in this sphere, “Order 709 imposes control over the transfer of technology from within China to outside of China whether by trade, investment, or economic and technical cooperation. The regulation purports to control all transfers of technology regardless of the type of technology or whether the technology is permitted, restricted, or strictly prohibited. For permitted technology exports, a simple recordal process is required, which recordal is made with the local bureau of commerce under MOFCOM with jurisdiction over the location where the requesting entity is established. Restricted exports are subject to a license requirement, which will also be applied for and obtained from the same commercial bureau”.

The Trump initiated trade war has its roots long back into intellectual property rights and artificial currency conversion. We mock Trump for the theatrics and the tweets, but he was the most appropriate answer to China, where civilization and democracy do not work, or rather is thrown out of the window and the state-controlled capitalism is under the guise of evolved communism. 

The Great Wall of China – Importance of Chinese Export Laws

To an academician, those practicing cybersecurity and those building fortresses to safeguard their IP and enterprises, these Chinese Export Control laws are very critical. Of course, reading those at face value may reveal little but understanding the rationale and eventually reverse engineering a solution based on the bits snd pieces of these new statutes, will unravel a new mechanism for protecting this world from any further Chinese intrusion. The later we go, the more the loss. Let’s call this the “Great Wall of China”. 

What do the Chinese Export Control Laws Look Like?

Encryption and Dual-Use technologies are a facade to mimic the US Export Control Regime. However, the law goes deeper than what it reads. Items are approved for export depend on eight criteria: national security and interests, international obligations and external commitments, the type of export, the sensitivity of controlled items, the countries or regions they are intended for, the end-users and end-use, relevant credit records of exporting companies, and other factors stipulated by laws and administrative regulations. 

Are the Chinese People Different than the CPC State Machinery?

I trust their genetic legacy of wall building, of oppression from the opium war and lessons of poverty, and in the last 70 years, the submission of liberal views to state-sponsored thinking only. 

In my view, not all Chinese are like the CPC of China. Of course, like any population, the principles apply here too, that means 3 standard deviations are people like us, that almost cover over 95%, the outliers on either side exists as well, 1-2% extremely good and 1-2% with malfeasance and occult and passive/aggression. The worst, I believe, CPC is comprised of the latter and CPC offers them the avenue and a podium to run such a wonderful country and people. If I guess it right, CPC has, in the guise of national agenda, has hijacked the state. Can we call this as the ’21st Century’s Great Wall of China’?


China’s export control law to become ‘key dynamic’ in US relations;

Business Impact – Chaos From Cloud Transformation


From my consulting and advisory discussions with the C-Suite and mid-management across customers from various verticals, certain patterns are discernible. It is increasingly evident that cloud transformation is beset with chaos – piecemeal initiatives, black holes that create a lack of enterprise wide vision, costly migrations, and a disconnect with enterprise goals and objectives.  Multi-cloud is adding to this noise and destroying enterprise value. A mechanism is missing to orchestrate and seamlessly integrate cloud transformation with visibility on risks, controls and accountability to achieve desired value.

Business Impact of Chaos From Cloud Transformation

To cite an example, a major global auto manufacturer had multiple business units (BU’s) independently embarking on cloud initiatives. Individual BU’s had their own roadmaps, pipelines, priorities, and metrics at various stages of maturity. Independently, they seemed to be on the right path. However, competing dependencies between different teams, duplication of efforts from piecemeal, siloed initiatives created a lack of integrated vision for the enterprise cloud transformation. My consulting engagement lead to an integrated enterprise wide cloud strategy that was aligned with the business goals and customer objectives resulting in US$ 2.2 million annual savings, speeding Go-To-Market strategy and providing anticipated benefits.

Collating from experiences across verticals such as home goods, toys, oil and gas, and banking revealed a spectrum of symptoms impeding migration. Most prominent amongst these were – lack of shared visibility on enterprise cloud transformation, disparate maturity of different BU’s, under or over provisioning of resources, double bubble from out of control spinning of instances, cultural and organizational inertia, improper adoption of agile structure, vendor risk and resource optimization, issues from data, security and inadequate standardization of compliance framework and challenges with technical debt.

What Lands A Cloud Transformation Into Chaos?

A cause analysis revealed that the above symptoms are associated with several underlying factors. Foremost amongst them is the lack of cloud strategy that aligns with unified vision and business objectives, lack of systemic approach and methodology towards enterprise cloud operating state, apprehension on autonomy within a federated centralized structure, inadequate ownership and accountability, inadequate threshold for risk management, operational governance constrained to automation and visualization of logs, monitoring and dashboards, etc.

Current Solutions to Control Chaos with Cloud

To deal with these challenges, a supporting ecosystem sprung up with services and offering such as function specific vendor products or services (Apptio’s Cost TBM Management), Agile (mindset) development, operational governance tools, Enterprise GRC, IT and Security Governance, etc.

Proposed Approach

A holistic, integrated, life cycle view was lacking. Also, sustaining migration requires creating robust processes and enabling a mechanism for visibility, accountability, and establishing controls. Realizing this, I conceptualized and envisioned the idea of integrated cloud governance that leveraged existing enterprise capital, its current state and objectives, and its future operating state and risks. Integrated cloud governance with a holistic lifecycle approach was a new idea in 2018, with my employer and within the industry. I evangelized it internally to get the buy-in to build the competencies and cross-pollinated the idea within the industry to have a common vocabulary and framework. Industry collaboration with peers and end users was important to mature and make it robust.

Building Internal and Industry Collaborations

I collaborated internally and externally to expound this offering. I cited two prominent advantages to my executive leadership – an enhanced potential for value realization for the customer and an opportunity to better understand the customer footprint. I proposed this idea at the Object Management Group (OMG), an industry consortium focused on developing vendor agnostic standards, with whom I had previously worked in updating the cloud migration standards. Our proposal won overwhelming support at the OMG’s plenary session. In June 2019, a ‘Practice Guide to Cloud Governance’ was published.

Solution Details and Benefits

I developed a comprehensive framework that identifies the risks associated with the different facets of an enterprise cloud journey. I proposed an end to end (E2E) enterprise wide approach, framework, and methodology that would integrate the existing tools to offer a visualization of the E2E metrics and KPIs. It also provides accountability and controls as well as offer a federated policy engine and offer enough autonomy to BU’s without stunting their individual goals and objectives. The benefits are both tangible (cost saving, faster GTM, greater realization of benefits from cloud) and intangible (customer satisfaction, faster ability to align with business, etc.).

Systems Integrators (such as Wipro, IBM) and end customers such as T-Mobile, Thomson Reuters, and several others adopted the guidelines and methodology as a best practice. This guideline turned out to be a high impact publication with over 200 downloads per week across the globe. This innovation provides a framework for the industry to evolve cloud transformation.


Integrated Cloud Governance offers significant tangible and intangible value for the customer, the industry, and the shareholders.My objective was to provide the highest quality of service to our customers. This is an example of how I identified a gap, built an innovative solution, and collaborated across the industry to advocate the customer interests. 

References: A new Practical Guide to Cloud Governance (June 2019) (Feb 2018)

Data with Future Enabled State?

Data (and Privacy), Regulations, Compliance, Security and Policies are the key to any Future Enabled State and for that matter, any cloud transformation. How do we factor in data, security, compliance, regulatory and policies factors into an integrated cloud solution?

So what is Dr. CSP?

I thought it right to device an acronym for Data, Privacy and Regulations/Compliance. A gamut of policies, procedures and processes need to be updated along with change to organizational culture for understanding and adopting the impacts and implications. Data (and Privacy), Regulations, Compliance, Security and Policies (DR. CSP). What should we do to get this right? Often, while providing proposal, we just talk about cloud migration. Alas, migration is not a lone isolated event; it has to factor in all dimensions of transformation. The acronym is simple, any Cloud Service Provider (even we can be counted in as CS), should be DR. CSP. It may be mean to those who have fantastic memory but without being a DR. CSP, we are unlikely to resonate with the customer.

Yes, Data is number one. It is the ultimate asset of an organization. Data, Data and Data – the key enabler or a bane for emerging Future Enabled State. According to Network Asia, “By 2024, 90 percent of the G1000 organizations will mitigate vendor lock-in through multi and hybrid cloud technologies by using technologies such as containers and data fabric, these organizations will be able to flexibly and easily move workloads across environments while having full control over them”.

According to the same report, Bank of America, for example, is using containers for app testing and development. By doing so, the bank’s developers and infrastructure staff are able to focus on high-value work instead of managing middleware systems and messaging buses, which do not generate revenue for the bank. Despite the benefits of hybrid and multi-cloud, they will not be the default IT architecture for smaller organizations. This is because data itself can be far less portable than compute and application resources, which affects the portability of runtime environments. Moreover, some cloud services may be exclusive to a particular cloud provider, which means that those services cannot be ported to other environments”.

Integrated solution is a key while resonating with customer already in cloud or those intending to migration to cloud. Providing an encapsulation and governance mechanism to critical enablers such as data, regulations, security, compliance and policies will drive success to the future enabled cloud state.

Interesting read…

Imminent fragmentation of a string of Global Village

One of the factors that make us a global village is our ability to connect over the internet and internet being a common highway for humanity to connect. With the advent of Russia discovering its renewed ability to develop parallel track, we may see an eventual fragmentation of the way we communicate.

A prelude to imminent fragmentation… everyone will copy this model. So far, we existed as a single earth, connected together by internet, making it a global village.

With the advent of Russian testing for separate DNS (domain name service, e.g., it will be talking a different language in a different world. Ultimately, others will follow suite and eventually, lobbies and multi-block reorganization may induce a multipolar world that may collaborate or in extreme situation, be at loggerhead with each other.

Russia considers ‘unplugging’ from internet

Insider Threats: Lessons Learnt

Recent cyber attacks also point towards organizations primary vulnerability. Insider threat is more common than cyber-attack. Despite the media focus on cybersecurity, it is important to be aware of insider threat.

The authors shared ten lessons on insider threat. Though these are experiences in respect to an alternate field continuously exposed to security threats, nevertheless, it is important to know the significance and implications of these.

Below, excerpts from “A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes” by Matthew Bunn and Scott D. Sagan published by AMERICAN ACADEMY OF ARTS & SCIENCES.

Even this brief comparative look at insider threats illustrates that such threats come in diverse and complex forms, that the individuals involved can have multiple complex motives, and that common, though understandable, organizational imperfections make insider threats a difficult problem to address adequately. Most nuclear organizations appear to underestimate both the scale of the insider threat and the difficulty of addressing it. Serious insider threats may well be rare in nuclear security, but given the scale of the potential consequences, it is crucial to do everything reasonably practical to address them. The main lesson of all these cases is: do not assume, always assess—and assess (and test) as realistically as possible. Unfortunately, realistic testing of how well insider protections work in practice is very difficult; genuinely realistic tests could compromise safety or put testers at risk, while tests that security personnel and other staff know are taking place do not genuinely test the performance of the system.

Lesson #1: Don’t Assume that Serious Insider Problems are NIMO (Not In My Organization)

Lesson #2: Don’t Assume that Background Checks will Solve the Insider

Lesson #3: Don’t Assume that Red Flags will be Read Properly

Lesson #4: Don’t Assume that Insider Conspiracies are Impossible

Lesson #5: Don’t Rely on Single Protection Measures

Lesson #6: Don’t Assume that Organizational Culture and Employee Disgruntlement Don’t Matter

Lesson #7: Don’t Forget that Insiders May Know about Security Measures and How to Work Around Them

Lesson #8: Don’t Assume that Security Rules are Followed

Lesson #9: Don’t Assume that Only Consciously Malicious Insider Actions Matter

Lesson #10: Don’t Focus Only on Prevention and Miss Opportunities for Mitigation



A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes

Click to access insiderThreats.pdf


Sentiment Analysis in the Context of Insider Threat