Fortifying the Stolen – China’s New Export Control Law

After massive and global espionage, China has embarked on a ‘Export Control Regime” and rightly so, they know the best loopholes in protecting their (Stolen) IP. It took the developing world a whopping century or over to arrive technological maturity where we are. I can’t believe, how China has achieved a global competitive excellence in 30 years.

Of course, we all know the espionage and IP violations that have been underway in building a parallel economy. The new Chinese Export Control Laws are a validation of collective act over the last few decades. This blogs goes into the details of the law as well as the rationale and spirit behind the law. (Blog runs in 1100 words, reading time 4-5 minutes). References are cited at the end of the blog.

Fortifying the Stolen

A thieve knows best how to solve a riddle of a theft. That’s an age-old saying. In Cybersecurity, while designing a solution for the enterprises, I always recommend building a design on the principles of anticipating intrusions and attacks and fortifying the design. 

After indulging in massive intellectual thefts and global espionage China is well aware of weaknesses and the modus operandi. For those who are not aware, let me cite a recent example of a Chinese student at Duke University, who stole her professor’s research and started a company (product business) in China. She is not alone. The US and the western world is inundated with such stories. Even the most secretly developed weapons by the US are part of the espionage. If you recollect, the US and India to have suspended or removed the Chinese Philosophical Centers, Confucius Center after finding out that those are indulging in espionage and intellectual theft. It is said that China has over 50 million workers overseas who regularly send pirated information. Ideally, if I have to learn cybersecurity, I should avoid Lockheed Martin’s “Kill Chain” and focus on the ‘mechanism of Chinese gargantuan machinery of IP theft protection’, aka Chinese Export Control Laws cited below. It offers several Confusion (deep and reflective) thinking on the nature of the future defense. The world has a lot to learn as well are significantly lagging behind. 

On October 17, 2020, China passed a law restricting the exports of sensitive items based on national security grounds, and the law emboldens China to take countermeasures against any country or region that abuses export-control measures and poses a threat to their national security and interests. Each of these words are full of interpretations and an imminent threat to any country. All China has to do is establish a reason, and in their political culture, it is not difficult to concoct a case. If I guess rightly, even this blog is subject to Chinese national security. 

The Huawei Rejection

Why was Huawei’s 5G rejected by the advanced world? The core reason being it would have given unfettered access to their network defense and collective defense, in addition, it would have created a threat to almost all electronic data flow (that includes cell phone data too). The new Chinese regulations could prove similar to US export controls on strategic technologies. Those controls, covering military equipment, some encryption technologies, and some dual-use products, have long irked China. Chinese negotiators have often claimed that their trade surplus could be trimmed if the US would relax controls on high-tech goods.

Technologies within the Ambit

A total of 17 industrial sectors fall within the ambit of Chinese Export Control Law. The focus is primarily on technologies of strategic and commercial significance such as:

  1. Pharmaceutical and biotechnology manufacturing including technologies required for the development of vaccines;
  2. 2. Technology relating to the development, testing, and maintenance of machine tools;
  3. ‘strategic’ new product design technology for heavy machinery;
  4. Unmanned aerial vehicle technology
  5. Speech synthesis technology;
  6. Artificial intelligence interaction and interface technology;
  7. Voice evaluation technology;
  8. Personalized information push service technology based on data analysis techniques;
  9. Cryptographic chip design and implementation technology; and
  10. Quantum encryption technology

What would China bind the technology statutory regulations? According to William Marshall, an authority in this sphere, “Order 709 imposes control over the transfer of technology from within China to outside of China whether by trade, investment, or economic and technical cooperation. The regulation purports to control all transfers of technology regardless of the type of technology or whether the technology is permitted, restricted, or strictly prohibited. For permitted technology exports, a simple recordal process is required, which recordal is made with the local bureau of commerce under MOFCOM with jurisdiction over the location where the requesting entity is established. Restricted exports are subject to a license requirement, which will also be applied for and obtained from the same commercial bureau”.

The Trump initiated trade war has its roots long back into intellectual property rights and artificial currency conversion. We mock Trump for the theatrics and the tweets, but he was the most appropriate answer to China, where civilization and democracy do not work, or rather is thrown out of the window and the state-controlled capitalism is under the guise of evolved communism. 

The Great Wall of China – Importance of Chinese Export Laws

To an academician, those practicing cybersecurity and those building fortresses to safeguard their IP and enterprises, these Chinese Export Control laws are very critical. Of course, reading those at face value may reveal little but understanding the rationale and eventually reverse engineering a solution based on the bits snd pieces of these new statutes, will unravel a new mechanism for protecting this world from any further Chinese intrusion. The later we go, the more the loss. Let’s call this the “Great Wall of China”. 

What do the Chinese Export Control Laws Look Like?

Encryption and Dual-Use technologies are a facade to mimic the US Export Control Regime. However, the law goes deeper than what it reads. Items are approved for export depend on eight criteria: national security and interests, international obligations and external commitments, the type of export, the sensitivity of controlled items, the countries or regions they are intended for, the end-users and end-use, relevant credit records of exporting companies, and other factors stipulated by laws and administrative regulations. 

Are the Chinese People Different than the CPC State Machinery?

I trust their genetic legacy of wall building, of oppression from the opium war and lessons of poverty, and in the last 70 years, the submission of liberal views to state-sponsored thinking only. 

In my view, not all Chinese are like the CPC of China. Of course, like any population, the principles apply here too, that means 3 standard deviations are people like us, that almost cover over 95%, the outliers on either side exists as well, 1-2% extremely good and 1-2% with malfeasance and occult and passive/aggression. The worst, I believe, CPC is comprised of the latter and CPC offers them the avenue and a podium to run such a wonderful country and people. If I guess it right, CPC has, in the guise of national agenda, has hijacked the state. Can we call this as the ’21st Century’s Great Wall of China’?


China’s export control law to become ‘key dynamic’ in US relations;

Data with Future Enabled State?

Data (and Privacy), Regulations, Compliance, Security and Policies are the key to any Future Enabled State and for that matter, any cloud transformation. How do we factor in data, security, compliance, regulatory and policies factors into an integrated cloud solution?

So what is Dr. CSP?

I thought it right to device an acronym for Data, Privacy and Regulations/Compliance. A gamut of policies, procedures and processes need to be updated along with change to organizational culture for understanding and adopting the impacts and implications. Data (and Privacy), Regulations, Compliance, Security and Policies (DR. CSP). What should we do to get this right? Often, while providing proposal, we just talk about cloud migration. Alas, migration is not a lone isolated event; it has to factor in all dimensions of transformation. The acronym is simple, any Cloud Service Provider (even we can be counted in as CS), should be DR. CSP. It may be mean to those who have fantastic memory but without being a DR. CSP, we are unlikely to resonate with the customer.

Yes, Data is number one. It is the ultimate asset of an organization. Data, Data and Data – the key enabler or a bane for emerging Future Enabled State. According to Network Asia, “By 2024, 90 percent of the G1000 organizations will mitigate vendor lock-in through multi and hybrid cloud technologies by using technologies such as containers and data fabric, these organizations will be able to flexibly and easily move workloads across environments while having full control over them”.

According to the same report, Bank of America, for example, is using containers for app testing and development. By doing so, the bank’s developers and infrastructure staff are able to focus on high-value work instead of managing middleware systems and messaging buses, which do not generate revenue for the bank. Despite the benefits of hybrid and multi-cloud, they will not be the default IT architecture for smaller organizations. This is because data itself can be far less portable than compute and application resources, which affects the portability of runtime environments. Moreover, some cloud services may be exclusive to a particular cloud provider, which means that those services cannot be ported to other environments”.

Integrated solution is a key while resonating with customer already in cloud or those intending to migration to cloud. Providing an encapsulation and governance mechanism to critical enablers such as data, regulations, security, compliance and policies will drive success to the future enabled cloud state.

Interesting read…

Imminent fragmentation of a string of Global Village

One of the factors that make us a global village is our ability to connect over the internet and internet being a common highway for humanity to connect. With the advent of Russia discovering its renewed ability to develop parallel track, we may see an eventual fragmentation of the way we communicate.

A prelude to imminent fragmentation… everyone will copy this model. So far, we existed as a single earth, connected together by internet, making it a global village.

With the advent of Russian testing for separate DNS (domain name service, e.g., it will be talking a different language in a different world. Ultimately, others will follow suite and eventually, lobbies and multi-block reorganization may induce a multipolar world that may collaborate or in extreme situation, be at loggerhead with each other.

Russia considers ‘unplugging’ from internet

Insider Threats: Lessons Learnt

Recent cyber attacks also point towards organizations primary vulnerability. Insider threat is more common than cyber-attack. Despite the media focus on cybersecurity, it is important to be aware of insider threat.

The authors shared ten lessons on insider threat. Though these are experiences in respect to an alternate field continuously exposed to security threats, nevertheless, it is important to know the significance and implications of these.

Below, excerpts from “A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes” by Matthew Bunn and Scott D. Sagan published by AMERICAN ACADEMY OF ARTS & SCIENCES.

Even this brief comparative look at insider threats illustrates that such threats come in diverse and complex forms, that the individuals involved can have multiple complex motives, and that common, though understandable, organizational imperfections make insider threats a difficult problem to address adequately. Most nuclear organizations appear to underestimate both the scale of the insider threat and the difficulty of addressing it. Serious insider threats may well be rare in nuclear security, but given the scale of the potential consequences, it is crucial to do everything reasonably practical to address them. The main lesson of all these cases is: do not assume, always assess—and assess (and test) as realistically as possible. Unfortunately, realistic testing of how well insider protections work in practice is very difficult; genuinely realistic tests could compromise safety or put testers at risk, while tests that security personnel and other staff know are taking place do not genuinely test the performance of the system.

Lesson #1: Don’t Assume that Serious Insider Problems are NIMO (Not In My Organization)

Lesson #2: Don’t Assume that Background Checks will Solve the Insider

Lesson #3: Don’t Assume that Red Flags will be Read Properly

Lesson #4: Don’t Assume that Insider Conspiracies are Impossible

Lesson #5: Don’t Rely on Single Protection Measures

Lesson #6: Don’t Assume that Organizational Culture and Employee Disgruntlement Don’t Matter

Lesson #7: Don’t Forget that Insiders May Know about Security Measures and How to Work Around Them

Lesson #8: Don’t Assume that Security Rules are Followed

Lesson #9: Don’t Assume that Only Consciously Malicious Insider Actions Matter

Lesson #10: Don’t Focus Only on Prevention and Miss Opportunities for Mitigation



A Worst Practices Guide to Insider Threats: Lessons from Past Mistakes

Click to access insiderThreats.pdf


Sentiment Analysis in the Context of Insider Threat



Envisioning IS Security Strategy

Reactive versus proactive Information Security

Given the existing cyberenvironment in which enterprise devices (IoT) exists, it is pertinent to adopt a defense posture that is ahead of the adversaries. Definitely deploying defense in depth and adopting controls based on attack modes are not sufficient. Concurrently, it is impossible to encapsulate assets and resources with all possible controls in proverbial and not practical. Adopting a pragmatic approach based on right strategy that consists on being ahead of adversaries and staying ahead of adversaries is critical.