Understanding ANT, Big Data, and CFIUS

Sometimes people say the Committee on Foreign Investment in the United States (CFIUS) is a mysterious “black box.” It’s actually an efficient, if overworked, interagency process for assessing the risk to U.S. national security from a transaction involving a foreign company gaining access to sensitive U.S. technology, infrastructure, or data. This should not be mysterious, but what can sometimes baffle outside observers are the grounds for CFIUS concern.

News that ANT Financial, a Chinese company linked to Jack Ma’s internet giant Alibaba, withdrew its proposals to acquire MoneyGram, an American money transfer company, in the face of opposition from CFIUS was not a surprise. The tacit rejection of the ANT deal reflects reasonable concern by CFIUS over the risks of approval. It may also be considered collateral damage from the U.S. Office of Personnel Management (OPM) hack.

CFIUS began as an effort to protect the defense industrial base and defense technologies. A decade ago, Congress added homeland security and critical infrastructure protection to the factors CFIUS considers in reviewing cases. The CFIUS mandate is expanding again, reflecting larger changes in the economy and in technology that highlight the importance of digital data.

In 2015, Chinese intelligence entities hacked OPM, along with several other large companies, to illicitly acquire immense databases containing the personal information of millions of Americans. The OPM hack was part of a larger campaign to reorient intelligence activities to a more data-centric approach and populate Chinese “big data” programs for counterintelligence. OPM’s files provided security clearance data on millions of federal employees. Combined with travel and insurance data acquired from other victims, the Chinese can mine this trove for counterintelligence purposes.

Fears that the OPM hack would give China insights to improve their recruitment of Americans to spy for China were misplaced. The primary intent, as is so often the case in Chinese surveillance efforts, was most likely directed at their own population, to allow the Chinese security services to better identify Chinese who are sources for the Americans, part of an expansion of surveillance programs to improve political control, counter-terrorism, and counterintelligence. The Chinese have made massive efforts in data analytics and biometrics (facial recognition, fingerprinting, DNA analysis) to create comprehensive surveillance programs.

A hypothetical example would be for the Chinese to compare the travel records of a U.S. person holding a clearance with the travel of Chinese citizens, to find if there was any match where the Chinese citizen and the cleared U.S. person were in the same place at the same time. This was prohibitively cumbersome before high performance computing and sophisticated data analytics. A match is not conclusive, but would justify expanded surveillance focused on that Chinese individual. Think of it as a game where there are thousands of fish in the sea, but you want to catch one specific fish. Big data helps you identify and locate that one fish.

Data analytics and artificial intelligence have transformed intelligence the same way they are transforming business. Companies collect masses of data and develop sophisticated programs to better identify customers. Intelligence agencies can do the same thing to identify spies and terrorists. Data analytics and AI are the future of intelligence and can significantly improve the effectiveness of counter-espionage and counter-terrorism operations. Intelligence agencies are as hungry for big collections of data as are private companies. All the hard work of human recruitment and illicit technical access is still essential, but the ability to combine and corollate data from a variety of human and technical sources can significantly improve analysis and identification—there is where the United States has an advantage in foreign intelligence.

Before civil libertarians react in horror, note that the information western intelligence agencies collect differs from the data that Google or Facebook collect on buying habits. Western efforts are focused on non-citizen or illegal activities – comparing narcotics trafficking convictions to contacts with terrorist groups, for example or travel to places like Syria. This external focus is a necessary constraint when compared to an authoritarian’s untrammeled access to data, but a more focused approach is also necessary in open societies if any analytical system is not to be overwhelmed by “false positives,” a result that says a person may be of interest when in fact they are not. A program that generates thousands of incorrect leads is worse than useless.

People experience these programs when they travel abroad. When you submit your fingerprints on entry or when you have your picture taken at the immigration booth, this data can be run against databases to identify persons of interest or to deny entry. These efforts are at an early stage, but one example of their utility is that it is possible to obtain partial fingerprints from the fragments of improvised explosive devices. Western security services have assembled a collection of several hundred potential bomb makers and can screen for them if they try to enter. Most intelligence agencies also scrape open source data from social media. Combing biometric techniques, social media profiles with data analytics changes the likelihood of positive identification and changes the requirements of covert operations.

What does all this have to do with ANT? The ANT deal is an unfortunate victim of larger problems. Americans might have benefited from access to ANT’s mobile payment services, but if the deal had gone through, ANT would have acquired the financial data of American citizens. ANT would use this for legitimate purposes, but there are reasonable concerns that the Chinese government could obtain access to this data and use it for intelligence purposes, since China lacks the safeguards and oversight that govern western intelligence activities. CFIUS will often approve cases where it has concerns if a risk mitigation agreement can be reached with the acquirer, but here is now no credible way to guarantee that Chinese agencies could not obtain access. Similar concerns about the misuse of data hurt the Anbang-Fidelity deal.

ANT found itself at the intersection of growing American concern over China’s trade and technology policies, it’s amplified nationalism, and the increased importance of enormous data sets for analytics and intelligence. Most activities by Chinese companies in the United States do not raise national security concerns. The problem for these companies is that they are based in a state with a long track record of commercial espionage and mass surveillance and where the rule of law is conditional. Sometimes the risk from a Chinese acquisition can be mitigated, but the space for risk-free acquisitions by China will shrink.

James Andrew Lewis is a senior vice president at the Center for Strategic and International Studies in Washington, D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2018 by the Center for Strategic and International Studies. All rights reserved.
James Andrew Lewis
Senior Vice President; Pritzker Chair; and Director, Strategic Technologies Program