Scott Wallsten: Hi, and welcome back to Two Think Minimum, The Technology Policy Institute’s Podcast. Today is Friday, June 12th, 2020. I am TPI’s President and Senior Fellow Scott Wallsten, and I’m with my cohost TPI Senior Fellow Sarah Oh. Today we are honored to be joined by Samm Sacks. Samm is the Cyber Policy Fellow at New America and a Senior Fellow at the Yale Law School Paul Tsai China Center. Her research focuses on emerging information and communication technology policies globally, particularly in China. Her work covers issues ranging from the US-China technology relationship, the Chinese government’s tech ambitions, China’s cybersecurity regulatory environment, and the global expansion of Chinese tech companies. In fact, she has worked on Chinese technology policy issues for over a decade, both with the US government and in the private sector, and now at New America and the Yale Law School. She is currently working on a book titled Data and Great Power Competition. We could spend all of our time reading Samm’s impressive bio, but we should probably turn to Samm herself. So thanks for joining.
Samm Sacks: Thanks so much for the kind introduction and for having me, Scott, it’s always great to talk with you about these issues.
Scott: Thanks. We really appreciate your being here. So you gave this really impressive testimony to the Senate Judiciary Committee in March and from that and from much of your work, it sounds like you broadly try to deal with this big question of how we enjoy the benefits of maintaining openness in the US and engaging with China for commercial, scientific, and diplomatic reasons, but also manage the potential cyber threats, and also not ignoring the human rights abuses in China. How do you hold those all in your head and try to think of a, put something coherent?
Samm: So I was listening to a podcast recently, not a tech policy podcast, not a foreign policy podcast. They were interviewing the Duplass brothers. Brene Brown was interviewing the Duplass brothers. The topic of the podcast was on paradox and on holding tension. And I think about this a lot in my work with China, it’s about be comfortable with understanding that paradoxical things will be on your mind all the time and being comfortable sitting with that and being capable of grappling with the issues in spite of that paradox. But to get at your question about how we think about this in a more concrete way. One of the things I often think about is, how do we maintain the openness of the US system, which has been a source of innovation, of prosperity, of security, that’s contributed to having world-class research institutions and leading companies around the world, but knowing that that openness has been exploited. And to me, the question is, where do we put the guardrails? Are we putting those guardrails in the right places? And I would argue that we probably aren’t right now, but we need them. So how do we think about that in a more effective way?
Scott: So let’s start with what are the guardrails that we are now putting in place and where do they go wrong? And then we can turn to maybe what they should look.
Samm: Sure. There are a spate of different actions coming down from Washington right now, focused on finally confronting Beijing over years of economic and cyber espionage, taking advantage of the openness of research and university systems, technology transfer, the like. Not to mention the dominance of companies like Huawei, and there are a couple of others that have come in the crosshairs. So maybe we should just step back and look at what’s the state of play. Where are we currently looking to put up new barriers? Huawei is obviously top of mind. The most recent action is the Commerce Department amended what’s called the foreign direct product rule. And what that essentially does is it closes a loophole that had allowed foreign suppliers, primarily, I think the main targets of this are Taiwan Semiconductor Manufacturing, TSMC, to continue to sell to Huawei, even if they relied on semiconductor manufacturing equipment or software from the United States. So this rule closes that loophole and requires a license, even for third party suppliers like TSMC, with the assumption being that that license would be denied. That’s just the latest in a spate of actions about Huawei and we could talk about some of the others. We’re also seeing expanded export controls really meant to target what had been loopholes in the export control regime, where the Chinese government would seek certain kinds of dual use technologies, purchase them for ostensibly civilian end users, but then under the banner of China’s military civil fusion initiative, those products could end up in the hands of the PLA. We’re also seeing a number of other Chinese companies caught in controversy. TikTok is under a CFIUS investigation right now. And there are questions around how is TikTok managing the data of US citizens as well as content control issues. Chinese companies like the drone maker DJI are also under scrutiny. So we could go on and on. There’s a list of these initiatives. And what they’re all sort of aiming to do is first focus on national origin. So create new restrictions that are really targeted at Chinese companies, Chinese end users, Chinese researchers, so national origin in nature. And I think at the same time to try to build up, US and Western alternatives in areas where we have become reliant on Chinese suppliers like Huawei.
Scott: So the way that you talked about the foreign direct product rule, it almost sounded like you think that one may have been properly targeted in ways that address real problems rather than guardrails that are not effective. Am I hearing that correctly? That one you think maybe does more good than harm?
Samm: Well, I think it depends on what’s the end goal here. What’s the aim that we’re trying to achieve? If the aim is to cause significant damage to Huawei and put a real dent in its global technology ambitions, this is the way to do that because it cuts at the heart of Huawei’s ability to be self-sufficient. It’s internal chip division, HiSilicon, may have been able to survive without directly receiving US parts. But then once you go after the third party suppliers, I think that takes a real strike at its self-sufficiency. I think the problem with these ongoing actions against Huawei are the second and third order consequences in ways that will create difficulty when it comes to US technological leadership. So I’m already hearing that when countries around the world are looking at vendors to go to, they’re now beginning to design out US suppliers. There’s a sort of perception that the US has politicized the supply chain and that relying on US parts is now politically risky. So you heard pushback from the US semiconductor industry earlier this year, appealing directly to the Pentagon, saying, look, if you want us to be a viable source for the US defense industrial base, but now these actions are going to significantly take a dent out of our global revenue and ability to be in markets around the world, we’re not even talking about supplying China directly, that’s going to take an effect. And I think at one point they had found this sort of receptive ear, but not so much anymore.
Scott: So one byproduct of these rules is closing markets to US companies and possibly, but not explicitly, opening them up to Huawei.
Samm: Right, exactly. So that’s just on Huawei. On the data side, with the Senate testimony that you mentioned, so Senator Hawley has proposed a bill, which would essentially stop US citizen data at the physical border of the United States, instead of going to certain named adversary countries, China and Russia were named, or potentially others could be included in that category. Here, and I think for all of these actions, what I like to do is sort of say, what are the consequences of this that actually extended beyond the direct competition between the US and China, because increasingly that competition is going to be playing out in third countries. It’s going to be in India. It’s going to be in Europe. It’s not going to be as much in each other’s markets. So what happened after this hearing where the idea would be let’s restrict storage and transmission of US data to these adversary countries, the Indian government called up counterparts in Washington and said, oh, you’ve been upset about Indian data localization now for years, lobbying against this, but now you’re essentially localizing US data. Why can’t we do it as well? And so what this does is it creates an environment where when our companies need large, novel international data sets in order to get ahead in data intensive technologies like AI, we now maybe in a position where others around the world are going, I guess we’re in a race to the bottom with data nationalization.
Scott: Are you seeing any US policy makers trying to respond to that or react to it in any way? Because you’re right, for years, the US has been the one saying, no, no, data localization laws are harmful to innovation.
Samm: You know, I haven’t. It’s seen as this is a national security issue and protesting that is unpatriotic. I haven’t heard any pushback.
Scott: National security seems to be a justification for a lot of things. But when you said earlier that one of the things that the foreign direct product rule would be good at is, possibly as an attempt to destroy Huawei rather than target it at a particular problem. Do you think that these efforts are in fact more targeted at particular companies than dealing strongly with a particular problem? Does that have something to do with people seeing China as a monolith of rather than a place of many, many interests?
Samm: I do think people see China as a monolith, and I think Chinese companies are also seen as monolithic. And look, going back to this question of openness, we do know that there are Chinese companies that are connected with the defense establishment, that are doing contracts for the security services. There are areas in which it does make sense to block investment and trade with certain actors. So the question is, are we targeting the right companies? My view on Huawei, personally, is I don’t think that we should have Huawei in US networks, particularly when it comes to critical ones and in a 5G era when we’re more and more reliant on software. The question is, how do we do this in sort of a smart way? I know that there’s sort of initiatives underway that would create a kind of public private partnerships in the US to try to create more diversity in the supply chain. If we’re reliant on just a handful of actors, that’s not going to benefit anyone. So how can we get incumbents in? How can we create more diversity? So you have more, it’s not just a sort of one stop point of failure. Those efforts are underway here. And I think that’s positive.
Scott: You do think that’s positive? I mean, the history of these public private partnerships, it doesn’t always lead to positive outcomes. In this case, it’s a good thing?
Samm: Well, it depends on how it’s done. I mean, the good thing is we need more diversity. We need to have more players there, but can we do this in a market driven way? I think it’s a bit too early to tell will there be a market distortion or not. My understanding of the so-called TSMC deal, where they announced recently that they’re going to build a fab in Arizona. And the idea was that this would sort of come in conjunction with the new restrictions on supplying Huawei under the SDPR. My understanding is that TSMC sort of wanted to do this in a market-oriented way, not wanting to have distortions. I don’t have visibility into how that’s playing out so far. Do you?
Scott: No, I don’t. I’m always worried that if you have an initiative that tries to get companies to work together, the potential downside is that they don’t compete anymore and that’s risky. But we faced this issue with the semiconductor industry, back in the 1980s, although there was a national security component to it then, the countries that we were worried about were not considered adversaries.
Samm: Right. So one of the questions is, could some of these initiatives end up removing areas where there have been market distortions, because you just had basically less than five suppliers here. The ORAN initiative, which would encourage operators to migrate to interoperable interfaces over the next few years, what that could do is just open up the playing field and create a space where you didn’t just have locked in certain vendors in the tech stack.
Scott: What do you think about the ORAN? We’re certainly hearing a lot about it now, does it seem like it has the chance of living up to the hype?
Samm: I don’t know. It depends on who you talk to. And to be totally honest with you, I’m not really in the weeds on it. There’s also criticism of it. Some have said, this is untested. This is sort of pie in the sky. I think the aspirations of it, in my mind, are encouraging. If what it can do, those who say we can’t just have an outright ban on Huawei, the rip and replace just completely unfeasible, maybe this could be a sort of softer transition, where, over the coming years, you could sort of work out Chinese companies out of the network while using these sort of interoperable interfaces to create more space, more incentives, to have other vendors come in, in theory. To me, that sounds like a good theory, but again, it’s going to sort of depends on what exactly is the relationship between the public and the private side.
Scott: So actually, to go back a little bit, mostly what we’ve ended up talking about so far is how we deal with Chinese companies operating in the US but as you’ve pointed out, there are two parts of this. One is Chinese companies operating in the US and the other is US companies operating in China. What should US companies operating in China worry about, what rules should they follow? How do you balance protections that we put in place against Chinese company, how do they end up affecting US companies operating there?
Samm: So when we hear about US companies in China, I think that there’s this myth, that I’ve heard people say this so much, no data is confidential in China, US companies that are in China by default, by the very fact that they’re given permission to operate there, provide back doors to the Chinese government and do all sorts of things that are compromising from a values perspective. And also in terms of turning over IP and tech transfer. My sense is it’s not really as black and white as that sounds. I think people that say that sometimes haven’t actually talk with anyone that has to comply with the regulations required to be in China. So when you talk with multinational companies in China that are involved in these audits with Chinese regulators, in sort of following what exactly does the cyber security law require? What is the domestic encryption law require? What you find out is it’s really not black and white. It’s a negotiation, it’s this dance and the local officials in China, often, whether it’s the security bureaus that are enforcing things like the multilevel protection scheme, these are sort of the dozens and dozens of myriad regulatory schemes that multinationals have to pay attention to over there. What you find is the local officials in China, they don’t just have security incentives. They also have economic incentives. And so for a local public security bureau official to go to a company, a US company and say, give me all of your data. That’s not necessarily in their economic interest. I think particularly now, because China’s under major economic pressure in the pandemic era, even now, more, I think there’s more space and need for foreign investment. And so a local official might say, hey, I’m not going to implement the strictest most conservative reading of this requirement and listen to the company when they push back on it, because commercially it’s not in their interest to turn over all their data. And if I’m a local official, economically, I have quotas in my jurisdiction that I need to meet. So it’s not always about let me enforce this to the letter of the law in the most conservative, worrying way. And it’s much more of a negotiation. And so that’s why I think that we need to sort of take a deep breath before saying, no, multinationals shouldn’t be in China because of the compromises they have to make by being there.
Scott: How could US policy take those sorts of things into account? I mean, you’re saying that there are laws on the books, and then there are the way the laws are interpreted, how rigorously different laws are enforced. And of course that true, not just in China, but everywhere. And is the problem the laws are enforced in a different way in China than they are here or is it that we, for the most part, don’t understand the way Chinese institutions work?
Samm: I mean, I think right now we really don’t understand the way Chinese institutions work. I think there are so many misconceptions about that. And Chinese law is a tool that’s used selectively, in an uneven way, depending on the whim of the party state and what’s going on in the broader environment. So there are certain companies that I think are more savvy than others in navigating that. Zoom has been in the news recently, it’s sort of showing how difficult it is to both be in the US and in China at the same time. They’re certainly not the first nor the only company that’s dealt with these issues. So the question is, what’s the role of the US government here? So one of the things that I advocated for in my Senate testimony, particularly on this issue of data access and law enforcement access to data in China, I think that this is an area that is really more of a moral and an ethical issue. It’s not really an area that is in, I would say, is not one for policy makers to legislate on. I don’t know how they would do that. On the flip side of it, on Chinese companies operating overseas in the United States, this is an area where US law and policy can play a role and what I’ve argued for is, let’s get away from a national origin approach and let’s focus on coming up with more robust rules for data collection and retention for all companies. And what that does is it keeps data secure, if you’re an Equifax and you’re potentially vulnerable to a sophisticated state sponsored hacker, it’s a way to secure and limit retention of that data, so it wouldn’t be vulnerable in the first place, or if you’re a company like TikTok, then that data wouldn’t be available to be transmitted back to the Chinese government in the first place.
Scott: Do you get any traction with that argument among policy makers? It’s hard to get Congress people to not think in a national security way.
Samm: I was really surprised, actually, during hearing, I thought that there were some members that were much more receptive than others, I’ll say. It seemed like people were sort of receptive to exploring how can we do this in the most responsible and effective way. We’ll see if they are able to actually do that in this environment. It looks unlikely.
Scott: What would you do, if you could, to get policy makers to better understand how China works? I mean, I know you’re already doing a yeoman’s work of patiently explaining it every time you testify, but what needs to happen to get policy makers to understand the ways that China is different from us, the way that they aren’t, and all of the incentives that Chinese policy makers are under. Why don’t they get that now, where it’s we do more or less with European countries or even Japan?
Samm: I think a lot of them don’t really want to understand or have an accurate fact based understanding of how things work in China. I think we are in a China bashing moment where there’s sort of bigger fish to fry. And if we throw the baby out with the bath water, to mix all of my metaphors there, I don’t think that’s seen as problematic, right now, among policymakers. Is that too cynical?
Scott: Well, not for me, but for a lot of people probably. But does that cynicism carry over to other aspects of this? Are you generally cynical about the future of these issues, China/US relations and technology cooperation and all of the struggles that we’re having?
Samm: I have a pretty bleak outlook. So I think we’re looking at two scenarios. One is partial decoupling and the other is comprehensive decoupling. I think a return to the good old days, which I call dysfunctional equilibrium, where the idea that we continue to have ongoing bilateral trade and investment with an occasional flare up, but there’s a sort of baseline of stability. I think those days are over. We no longer have any diplomatic or communication channel at a high level, right? So now it’s a question of how far do we go? What is the degree and the speed of decoupling. My base case right now, I think we’re in a partial decoupling scenario. And I’ll tell you why. When I talk with US technology company executives, what I’ve been hearing lately, and of course it depends on the company, it depends on the industry. But I think in general, the idea that we’re going to rip and replace China from our supply chains, not just Huawei, but across the board, different sectors and companies, I don’t think that’s feasible, particularly right now. China, what I’ve heard recently, is that of all the suppliers in the world, we look just sort of from a manufacturing base perspective, China is the most stable given what’s going on with the pandemic. Whereas others, whether you’re talking about India or Vietnam or Mexico, are kind of in chaos. But that’s just a near term thing. Over the long term, I don’t think it’s possible to completely unwind supply chains. If you look at some of the specific issues, like let’s look at TikTok, for example, we don’t know a lot about what’s going on with the CFIUS investigation into TikTok, but TikTok appears to be devoting a lot of resources to geofencing, to sort of really separating out the overseas business from the Chinese version, which is called Douyin, accessible to Chinese cell phone users in China. They’ve gone to great lengths in terms of hiring senior executives in the US, trying to keep data, using third party verification to keep the data stored here. Let’s see if that passes muster with CFIUS. If so, it kind of says, okay, our company is going to be in a position where if they want to be both in China and the US they really need to fence off and have a China presence and a US presence. If TikTok were kicked out altogether then I think we’d be more in that completely decoupling scenario.
Scott: I think TikTok is a particularly fascinating case because on the one hand it’s a Chinese company. So it falls into all of these debates. On the other hand, it is providing direct competition to Facebook and Instagram and all of these companies that so many of the same people who are critical of China, those same people also worry about competition among big tech companies. So on the one hand TikTok is providing enormous competition, by some measures people spend more time on it now than they do on Instagram or Facebook, but at the same time, they also don’t want it because it’s Chinese owned. That’s not really a question, it’s more of a statment. But what are the specific security issues that people worry about with TikTok? What information is anybody giving? Are these dances of particular national security importance?
Samm: I think there are two issues. So one is the data collected on who’s dancing with who, when, in what backyard, with what cat. Could the Chinese government, in 20 years, when that 16-year-old applies for a national security clearance to work in the Department of Defense, as part of this sort of Orwellian big data analytics project, would they reach into that data pool and then launch coercion, blackmail, investigation, operation against that person. That to me, if the data even reached some central pool of data in China, which I don’t think exists. If that even happened, to me is a very inefficient way to run any kind of intelligence operation, so I’m kind of skeptical of that. What I do think is more of a concern is how are they dealing with content moderation? We just don’t have any visibility into that. But again, this is not a question that’s specific to TikTok. I think this is a question that all platforms, US ones included, are grappling with. So they’re not unique in that way. And so when we say, oh, we have no visibility into when they’re taking down content and if political information is going up and are they censoring that blah, blah, blah. That’s not unique to TikTok. Everyone is kind of under the gun for that right now.
Sarah Oh: Related to the different regulations in the US and China, how much of the tension is about US increasing their standards on Chinese companies? Like for the securities markets, the New York Stock Exchange, they’re talking about not listing Chinese companies, because they’re not auditing their books properly. I think there was a case of Luckin Coffee that was a major fraud. And so they kicked them off the exchange. How much of this is actually putting some compliance standards on Chinese companies?
Samm: What you’re referring to is called the Holding Foreign Companies Accountable Act, which recently passed the Senate. And what this would do is require listed companies to certify that they’re not under the control of a foreign government and undergo three years of audits by the PCAOB, which, for years, this has been an issue, this has been a loophole, right? Luckin Coffee is not the only one. And it’s something that Chinese companies have long said, this is state secret, I can’t provide that. So I think this is one of these areas, when we talk about are we putting guardrails in the right place, one of the questions I’ve had is, is this an area that’s been a loophole where there should be more transparency, there should be more oversight and there hasn’t been. The issue with this is if it goes forward, it has pretty massive ramifications, because it would essentially lead companies like Alibaba, Baidu, JD.com, a host of companies, they would have to delist and they would go back to Chinese markets. So what are the implications of that? And there is a three year window, which could provide some kind of a buffer around this, but this is a really big deal as we think about the suite of tools that are out there.
Sarah: Do you think the standards have been not enforced as strictly towards Chinese companies? How about European companies? Are they more in compliance than Chinese companies?
Samm: I believe so. They have to be, right?
Sarah: I would believe so. So it’s not, I mean, China can’t say, oh, you’re asking us for more documentation than you ask other people.
Samm: Oh no, no.
Scott: Although that seemed to happened with the technical comparisons, or the security audits of the Huawei networking equipment though, right? Because we didn’t know the comparisons with Nokia and Ericsson. I don’t know if that’s still true or not.
Samm: Right. So I think this is a really good point, which is about the national security implications of losing visibility. And when we talk about decoupling and justify it around national security grounds, I think something that’s often missing from that conversation is if we have no channel, if Chinese tech companies, and some of leading researchers in emerging technologies, as their opportunities in the United States shrink, as do our channels for having visibility and engagement, I think there are also major national security implications that come along with that, with loosing insight into what are they doing? How are they approaching these issues? Particularly these are technologies that are going to be so massive in terms of their implications for society. I think it’s not all about economics here.
Scott: I think that’s right. I think there are also additional implications, economic implications. There a fair amount of research now looking at what happened to scientific output during world wars, when scientists who had once worked together had to stop. Overall innovation decreased because you had just cut off connections between people used to work together.
Samm: Totally. And this is really true when it comes to AI research. So Macro Polo, the Paulson Institute, just put out a study on the leading AI researchers in the US and China. And they found that some of the top talent coming out of China has been coming to the US but now, as we go down this decoupling path, when these researchers are facing scrutiny, are they spies for the Chinese government? Are they sending their things back to China? That hostile environment is just going to, will lead them to go back to China. And so I think we benefited from that cross pollination of innovation going both ways across the Pacific, and as it increasingly shifts back to China, we lose that as well.
Scott: We’re beginning to run out of time, but let me ask, what do you think would have to happen for your outlook to become more positive? Is there anything you could point to that make you think, oh, maybe things will get better?
Samm: Well, we’ve seen a lot of bluster recently from the President on China.
Scott: Only on China? [Laughter]
Samm: We’ve seen a lot of it when it comes to China. So a week or so ago when he made this speech in the Rose Garden, it happens to be the same time when protests were erupting around the United States. And so you have this sort of split screen of police protests and the President coming out and blaming China for everything. He announced a stream of things, some related to Hong Kong and revoking its autonomous status, some related to Uyghurs and even been talked about some Uyghur, there’s an act that would sanction officials and companies linked to Xinjiang and the like, all of the things that he announced I think had more bark than bite. And so there are still a lot of more concrete steps that could be taken that are hanging out there. That to me would be a sign, okay, things are sort of deteriorating even further than where they’ve already gone.
Scott: So you can only see ways that it can get worse at the moment.
Samm: Oh, right. I’m always going to the negative, your question was how can things get better? And my best case scenario was on things not getting worse.
Scott: And maybe that’s the way it is.
Samm: Yes. Maybe that is the way it is. So we focused a lot on what’s happening from Washington. There’s a lot also going on in Beijing and the Chinese government, it’s important to note, hasn’t really responded in a significant way, yet. We’ve heard threats of retaliation, threats about putting companies on the unreliable entity list, but they haven’t done it yet. I think there are a lot of sort of tools in the toolkit that haven’t been brought out from China, whether it’s new anti-monopoly investigations coming from SAMR in China, whether it’s use of this, it’s called the cyber security review measures, which is a way that the Chinese government can kick out a company by saying it’s a security risk in the supply chain. Things could get a lot worse if they start taking some retaliatory action which they have not to date.
Scott: Why do you think they haven’t?
Samm: So I think it goes back to the point I was saying earlier about the economic slowdown in China. So I think there are two things at play. One, the government is still very much needs foreign investment, but the other is, does the Chinese government have a long term ambition to kick out foreign suppliers in core technologies? Yes. Are they anywhere near having the capability to do it? No. And I think so long as there’s still this sort of gap in what the domestic companies are able to provide, I think it’s still very much open for business.
Scott: Well, that’s actually another interesting point because I think conventional wisdom, I mean among people who don’t know China very well, is that China’s really caught up technologically, is that kind of not true?
Samm: It’s sector by sector. And this is an area where if you look at the digital economy, mobile apps, this is an area where China’s almost kind of futuristic. Mobile payments, E-Commerce. If you look at some of the underlying hardware, I know that the Center for Security and Emerging Technologies at Georgetown recently had a report on AI chips. This is an area, these sort of advanced semiconductors, where China had lagged behind and why the Commerce Department’s actions against Hauwei have really struck at the heart of their technological ambitions. So I think this is an area where they’re still a couple years behind, but catching up fast, but you have to take a sector by sector approach.
Scott: Well, I think that’s probably a good place to leave it since most things are fact-based and sector by sector in whatever we’re talking about, it’s hard to generalize overall, although I’m just generalizing about generalizing. Samm, thanks so much for talking with us today. That was really interesting. Really appreciate your time.
Samm: Thanks so much. It’s great to talk with you guys.