Does the Chinese government steal technology from US companies? That was the question before four of the most powerful tech CEOs on the planet earlier this summer.
Jeff Bezos, Sundar Pichai, and Tim Cook all denied firsthand knowledge of such schemes. Only Mark Zuckerberg was willing to note that Chinese theft of technology from American companies was "well documented."
Zuckerberg is right, and his willingness to admit it marks a sea change in how US companies have approached business in China. That the other three dodged the question, however, shows that many businesses still value profit at all costs.
What are those costs, exactly?
In 2018, the US Trade Representative found that Chinese theft of American intellectual property (IP) costs between $225 billion and $600 billion annually. The FBI is investigating 1,000 cases of Chinese IP theft. The push for profit at all costs has resulted in lawsuits, damaged competitiveness, and if a company competes for federal government contracts — as Google and Amazon do — it can also be a matter of national security.
The definition of shareholder value needs to shift. Instead of pursuit of profit at any cost, protecting IP in the name of US economic and national security should be part of every company's fiduciary duty to shareholders. And that means shutting the door on China's rampant hacking and theft of US companies' technology. Too many companies are still either ignorant or neglectful of their cybersecurity.
Here are two ways we can change that and better guard American innovation from the Chinese hackers working so diligently to steal it.
Transform the Boardroom
When you look at board member profiles, it's rare to see anyone with any kind of IT savvy, let alone a cybersecurity background. With all the press around data breaches and advanced persistent threats, with the results of these attacks starting to show up in public filings, it's clear cybersecurity should not only be a board-level concern but should influence the very composition of the board.
Instead of having a CISO show up quarterly to offer the board a report, companies should have a former CISO on the board. Perhaps there should even be a requirement that public companies have at least one member of the board with deep expertise in cybersecurity.
Lacking that board-level expertise leaves many businesses ignorant of one of the biggest risks they face: A cyberattack that not only disrupts the business but results in the loss of IP.
Take a New Perspective on Compliance
Multinational businesses are drowning in regulatory requirements from GDPR and CCPA to PCI DSS and the new CMMC. From international rules to state data breach laws, companies have so much to comply with that they develop a check-box mentality around cybersecurity.
The philosophy is that if they follow the rules and pass their audits, they're fine. If a company has a credit card breach, it can produce five years of successful PCI DSS audits to show it did what it was supposed to do. This is a focus on compliance for compliance's sake, instead of on actual operational security.
The two don't have to be mutually exclusive, but it does take thought and effort to align day-to-day operations with compliance. The board often doesn't see the gulf between the two. They see red, yellow, and green on a presentation slide about compliance and ask questions about the speed of audits. With more cybersecurity expertise on that board, it can start digging deeper and support the marriage of regulatory compliance with day-to-day operations.
Why Protecting IP Is the New Imperative
Whether by ignorance or negligence, many American companies have become victims of China's IP theft. But a desire for profits over protection may be reaching its end.
The world is waking up to the blatant IP theft China has perpetrated for years and the damage it leaves in its wake. If you're not working to harden your security, to ensure your board has at least one member who's an expert in cybersecurity, and to ensure compliance isn't just a checked box but an operational security stance, you're ultimately not serving your stakeholders, your business, or your country.