China’s Cyber Espionage: The Trillion Dollar Opera
By N. MacDonnell Ulsch, Contributing Author / May 19, 2025
Mr. Ulsch is the Founder and Chief Analyst of Gray Zone Research & Intelligence—China Series, focusing on China’s technology-driven strategy for global economic supremacy. He advises the US Senate Committee on Foreign Relations on China’s cyber and technology transfer threats and has led incident investigations in 70 countries as a former Senior Managing Director at PwC’s cybercrime practice.
His research includes the impact of technology transfer on China’s economic strategy, US corporate regulatory risk, China’s supply chain penetration, and Military-Civil Fusion as a cyber threat. His LinkedIn China Polls have over 200,000 views and 25,000 followers.
Mr. Ulsch advises an East African presidential cabinet-in-exile on countering China’s Belt & Road Initiative. Previously, he served as a cyber threat advisor to the CIA, focusing on US cyber adversaries and attacks on the commercial sector and Defense Industrial Base. He also served on the US Secrecy Commission and advised a US presidential campaign on cybersecurity.
He is a Guest Lecturer on Cyber Warfare at West Point and a Research Fellow in the Master’s in Cybersecurity program at Boston College, which he helped establish.
Mr. Ulsch has authored two books: Cyber Threat: How to Manage the Growing Risk of Cyber Attacks and Threat! Managing Risk in a Hostile World. He is a Distinguished Fellow of the Ponemon Institute and serves as an Independent Director of a financial services company, focusing on cybersecurity and privacy issues.
An Unforgiving Reminder
It must be in the human DNA. History is an unforgiving reminder of the frailties of, well, us. We think we think things through. But, in the end, we really don’t. At least not always. And not when it really counts.
Let’s go back seventeen years. “Security 2.0 is, among other things, a mindset,” I wrote in my book, THREAT! Managing Risk in a Hostile World, in 2008 (The IIA Research Foundation). “It is a way of thinking about the known and the unknown. It is a mindset of anticipatory security.” This brings to mind the horrific attacks of September 11, 2001. “Security 1.0 was … the World Trade Center design. It was eminently targetable, visible from a distance, standing out from the architectural structures around it, reaching high into the sky. The structures that were the symbols of excellence and competitiveness and economic strength could not withstand the the attacks of September 11th and were totally destroyed.”
Then, consider the Pentagon. The Pentagon was more like what we called Security 2.0. The Pentagon survived the intentional crashing of a Boeing 757 fueled with roughly 10,000 gallons of aviation fuel. Although damaged, the Pentagon survived. It was low profile, low to the ground, built in a defensive profile, a difficult target at best. Security 2.0 represented survivability in the face of the deadly terrorist attack. It had the ability to endure the devastation, to be resilient, to survive attacks that it could not have reasonably anticipated.
Hard to Imagine
In another example, it is hard to imagine that in the earliest days of the Internet, there was no built-in security. The Internet was the last chance to stop a war between the United States and the Soviet Union. It was the Internet, accessible when even all other telecommunications and data devices were inoperable. But cooler heads prevailed and the Internet did not have to save humanity from itself.
Speed forward four decades or so. I have more gray in my hair and my musculoskeletal frame has more aches. And security has many of the same challenges it did when I was far younger. Let me name one that haunts us day and night.
Technology Transfers
When do Smart Cities become dumb ones? When they do not heed the mistakes of the past. We know that China engages in many forms of technology transfer. It includes cyber espionage. Cyber espionage continues to cripple industry, totaling a trillion dollars in lost intellectual property and trade secrets—and that is in the United States, alone.
Simple Game of Economics
China’s Smart City strategy stays alive because it plays a simple game of economics that appeals to many. China will buy markets by forgoing profit on technology components. These components are elements of a sophisticated communications network that continuously feeds information back to the China homeland. Take Hikvision.
Hikvision
Simply speaking, it bought the market for surveillance cameras. The U.S. Federal Communications Commission banned Hikvision cameras. No new electronic equipment produced by the company will be granted a FCC license. So, it is illegal. But there are still Hikvision cameras embedded in some systems. And the ban of Hikvision is not universal. So, China continues to receive intelligence feeds every day.
Jeopardizing Security
Smart Cities in many countries will use these products and others that jeopardize security. In developing nations, China-led authoritarian systems can be used to target so-called undesirable segments of the population, much like the Uyghurs have been persecuted in China.
My point is this: no matter how good the security is in Smart Cities, if Chinese surveillance and communications components are integrated into the configurations, then security has failed before the go-switch can be turned on and the Smart City comes to life.
We Know, Don’t and Won’t
The funny thing is, we know how to prevent this. But we don’t and we won’t. We know how to audit against cyber risk. We know the questions to ask. We know the vendors that elevate risk. Or do we? What about China’s minority investments in product and service companies that get inside Smarty Cities and implement their systems? Some in Smart City development deny the issue. Others default to the budget argument. Some learn from the mistakes of the past, some don’t.
Smart City Vulnerability: A Look at the Nuclear Power Industry
The world was witness to the then unimaginable power of atomic energy in World War Two. After the war, this weapon of mass destruction became the ploughshare of the energy industry. Atomic energy was perceived as the great energy resource. By the late 1950s, municipalities around the country were planning for the adoption of atomic power plants. Such power plants were envisioned as safe. Atomic power plants would become widely available, and the energy supply was virtually unlimited and cost-efficient. What could possibly go wrong?
What went wrong was the Stationary Low-Power Reactor Number One, also known as the SL-1, an experimental reactor at the National Reactor Testing Station in Idaho Falls, Idaho. It was 1961. City governments around the country were supportive of atomic power and the opportunities to produce sustainable energy seemed endless. Then a black swan event hit on the frigid night of January 3rd. A love triangle involving two men and one woman who were assigned to the atomic facility led to a catastrophe.
One of the men, jealous of the other male worker, triggered a murder suicide at the plant by pulling out the reactor’s central control rod. This resulted in a super-heated steam event within four milliseconds, causing a massive explosion.
A nearby fire and rescue operation responded to the scene. It was a disaster. At least one of the three workers was alive. A firefighter gave mouth-to-mouth resuscitation to the victim. The firefighter soon thereafter died from atomic contamination. The dead were buried in concrete tombs to prevent dangerous contamination.
As word of the incident spread, municipalities around the country began to second-guess the wisdom of embracing atomic power. But it wasn’t a failure of the technology. What failed were the policies and procedures that served as the operational guidelines for maximum productivity and safety.
The Risk of Compromise
Unfortunately, this is also a deficiency of all things cyber. Sometimes bad things happen. The goal is to try and limit exposure and loss through vendor agreements and service level agreements, and policies and procedures that are supposed to ensure protection from administrative error and hostile attacks. But the world isn’t perfect and Smart Cities will not be perfect, either. Some Smart Cities will simply violate information integrity because it serves the purposes of the government. Even in U.S., values-led Smart Cities, the risk of compromise is high unless cybersecurity defense and privacy protocols are prioritized.
The Human Factor
We have failures of tech neology. We have failures of protocol. We have violations of regulatory compliance. And we have the human factor, just as the SL-1 power reactor had. Just because we think we have secured our approach to Smart Cities doesn’t mean we have secure Smart Cities. Just because we will be creating extraterrestrial data centers on Low Earth Orbit in space doesn’t mean that we have eliminated the human factor from the risk equation.
Be Smarter
When we think about Smart Cities and data centers in space, do we envision them as Security 1.0, the World Trade Center, or do we see them as Security 2.0, the Pentagon? We need to be smarter about Smart Cities. We cannot afford to be wrong. The stakes are higher. The losses potentially incalculable in a world of connected Smart Cities.
Yet, history tells us we will continue to make mistakes. Let’s work hard to make sure that the mistakes we make are not fatal ones.