Author Topic: Do American companies specifically keep tabs on their Chinese employees?  (Read 2313 times)

Paul der Krake

  • Walrus Stache
  • *******
  • Posts: 5854
  • Age: 16
  • Location: UTC-10:00
I sling code in the tech industry for a living and have been thinking about this for while.

The industry in the US is filled with employees from all over the world, but mainly the foreigners come from two countries: India and China. I don't have solid numbers to back this up, but let's just say 10%, or any number large enough to be statistically significant.

State-sponsored corporate espionage is a reality, and let's get real, everyone probably does it to a certain degree. But no country has as strong a reputation for this type of things as China.

If you're in charge of infosec at a large tech firm, wouldn't you be interested in finding out whether any of your employees does in fact leak IP to a notoriously hostile foreign government? How deep do you start electronically profiling (if at all) your workforce and where do you stop?

Obviously some things are easier to implement company-wide because they require comparatively few resources. If someone, anyone, starts regularly downloading code from projects they don't work on, you probably want to know about it, Chinese or not. The extreme opposite would be to follow employees around 24/7, which is obviously cost-prohibitive unless you already suspect foul pay.

I'm interested in hearing everyone's thoughts on whether infosec departments have profiling techniques that directly take into account someone's country of origin. Why? Why not?

oldtoyota

  • Magnum Stache
  • ******
  • Posts: 3179
I read a book by an ex-Russian spy. He worked his way into a company responsible for the electrical grid in New Jersey. He also worked in IT.

He spoke perfect English and had an American name and social security number. He'd been given an American name by his Russian handlers and taught to speak American English over a long time period.

The FBI did eventually figure out he was probably a spy and were able to turn him.

His real goal was to get an American passport and infiltrate high society in Washington, DC. He did not get that far, but he got pretty far.

Now, the guy is an American living in Georgia.

A Fella from Stella

  • Pencil Stache
  • ****
  • Posts: 524
I read a book by an ex-Russian spy. He worked his way into a company responsible for the electrical grid in New Jersey. He also worked in IT.

He spoke perfect English and had an American name and social security number. He'd been given an American name by his Russian handlers and taught to speak American English over a long time period.

The FBI did eventually figure out he was probably a spy and were able to turn him.

His real goal was to get an American passport and infiltrate high society in Washington, DC. He did not get that far, but he got pretty far.

Now, the guy is an American living in Georgia.

Book?

FIRE Artist

  • Handlebar Stache
  • *****
  • Posts: 1070
  • Location: YEG
I imagine you could find someone of any ethnicity who would be willing to steal secrets for the right price. 

EvenSteven

  • Pencil Stache
  • ****
  • Posts: 990
  • Location: St. Louis
I imagine you could find someone of any ethnicity who would be willing to steal secrets for the right price.

I believe they are referring to nationality, not ethnicity. An important distinction in this case.

I work at a non-profit, with many graduate students and post-docs who are Chinese citizens. AFAIK we don't keep any special tabs on them. However, we do need to consult with the FBI sometimes when bringing in scientists from China for visits.

Aelias

  • Bristles
  • ***
  • Posts: 427
Monitoring access to company systems and limiting access to a need-to-know basis is just good sense.  So most large companies monitor extensively.

Singling out employees for monitoring based on their race, ethnicity, or immigration status is discrimination and it's illegal. 

ncornilsen

  • Handlebar Stache
  • *****
  • Posts: 1047
We only hire US citizens, and no foreign national is permitted to view process or technical information of any kind. In a few cases where a foreign national is the only person who can work on a machine, we've built walls around the machine for the duration of their time to prevent them from seeing anything but what they're working on.

Quote
Singling out employees for monitoring based on their ... or immigration status is discrimination and it's illegal. 

False.

Quote
An employer may restrict hiring to U.S. citizen only if a law, regulation, executive order, or government contract requires the employer to do so.  Learn more about this exception by contacting IER and at 8 U.S.C. § 1324b(a)(2)(C).

Paul der Krake

  • Walrus Stache
  • *******
  • Posts: 5854
  • Age: 16
  • Location: UTC-10:00
Singling out employees for monitoring based on their race, ethnicity, or immigration status is discrimination and it's illegal. 
Immigration status is obviously false, but I'm not sure about the other ones. For employment, sure, definitely illegal. But for monitoring?

former player

  • Walrus Stache
  • *******
  • Posts: 8821
  • Location: Avalon
Any Chinese national who is a student in the west has been vetted by their government and got government approval for their studies- as told to me by a Chinese national grad student.

oldtoyota

  • Magnum Stache
  • ******
  • Posts: 3179
I read a book by an ex-Russian spy. He worked his way into a company responsible for the electrical grid in New Jersey. He also worked in IT.

He spoke perfect English and had an American name and social security number. He'd been given an American name by his Russian handlers and taught to speak American English over a long time period.

The FBI did eventually figure out he was probably a spy and were able to turn him.

His real goal was to get an American passport and infiltrate high society in Washington, DC. He did not get that far, but he got pretty far.

Now, the guy is an American living in Georgia.

Book?

I am not sure but the author/spy name came to me...Jack Barsky. He wrote the book under than name, which was the name of an American boy who died. (That is how they get the SSN.) Of course, he had a different name at birth.

The only way he found to escape the KGB was to tell them he had AIDS and would die...the Russia s did not want to get AIDS from him.

oldtoyota

  • Magnum Stache
  • ******
  • Posts: 3179
Re: Do American companies specifically keep tabs on their Chinese employees?
« Reply #10 on: August 02, 2019, 04:06:36 PM »
I imagine you could find someone of any ethnicity who would be willing to steal secrets for the right price.

True It is also true Russia and China have the money, experience and training to send spies here.

Aelias

  • Bristles
  • ***
  • Posts: 427
Re: Do American companies specifically keep tabs on their Chinese employees?
« Reply #11 on: August 02, 2019, 06:00:33 PM »
Monitoring access to company systems and limiting access to a need-to-know basis is just good sense.  So most large companies monitor extensively.

Singling out employees for monitoring based on their race, ethnicity, or immigration status is discrimination and it's illegal.

I should clarify.  If you have an immigration status that allows you to be lawfully employed in the US, most employers can’t use that as a reason to take an adverse action against you.  Obviously there are exceptions in certain regulated industries (defense, national security). For example, you can’t say, “we don’t hire anyone with a green card” or, more pertinent to this discussion, “we’re going to monitor all Chinese nationals”.

https://www.uscis.gov/i-9-central/employee-rights-resources/preventing-discrimination

As to monitoring employees based on their protected status (race, sex, religion, national origin, etc.), that is definitely against Title VII of the Civil Rights Act.  Any employment decision can’t be made on the basis of a protected class or in retaliation for complaining about discrimination or exercising any other legally protected right.  Now, if you have a Chinese employee who’s accessing data they’re not supposed to, heck yeah, you can fire them.  But that policy must be equally applicable to any other employee who engages in similar conduct.
« Last Edit: August 02, 2019, 06:06:59 PM by Aelias »

FIRE Artist

  • Handlebar Stache
  • *****
  • Posts: 1070
  • Location: YEG
Re: Do American companies specifically keep tabs on their Chinese employees?
« Reply #12 on: August 02, 2019, 06:17:30 PM »
I imagine you could find someone of any ethnicity who would be willing to steal secrets for the right price.

True It is also true Russia and China have the money, experience and training to send spies here.

True, but my point was that they wouldn’t necessarily have to do anything as obvious as sending a national over to steal secrets, they could pay many people to do it. I don’t think targeting a specific nationality would solve the problem.

Aelias

  • Bristles
  • ***
  • Posts: 427
Re: Do American companies specifically keep tabs on their Chinese employees?
« Reply #13 on: August 02, 2019, 06:25:33 PM »
We only hire US citizens, and no foreign national is permitted to view process or technical information of any kind. In a few cases where a foreign national is the only person who can work on a machine, we've built walls around the machine for the duration of their time to prevent them from seeing anything but what they're working on.

Quote
Singling out employees for monitoring based on their ... or immigration status is discrimination and it's illegal. 

False.

Quote
An employer may restrict hiring to U.S. citizen only if a law, regulation, executive order, or government contract requires the employer to do so.  Learn more about this exception by contacting IER and at 8 U.S.C. § 1324b(a)(2)(C).

So, the section you’re quoting is actually one of the exceptions to the general prohibition against immigration status discrimination.  I’m willing to bet your company is a federal contractor and due to the nature of your work, your contract with the government  prevents you from hiring non-US citizens.  If that’s the case, you’re right — perfectly lawful.  But again, that’s the exception to the rule.
https://www.law.cornell.edu/uscode/text/8/1324b

RetiredAt63

  • CMTO 2023 Attendees
  • Senior Mustachian
  • *
  • Posts: 20742
  • Location: Eastern Ontario, Canada
Re: Do American companies specifically keep tabs on their Chinese employees?
« Reply #14 on: August 03, 2019, 11:08:45 AM »
I feel like I'm reading a Helen MacInnes novel here.  If you want a feel for cold war espionage and activities, her novels will provide that. 

seattlecyclone

  • Walrus Stache
  • *******
  • Posts: 7254
  • Age: 39
  • Location: Seattle, WA
    • My blog
Re: Do American companies specifically keep tabs on their Chinese employees?
« Reply #15 on: August 03, 2019, 01:02:30 PM »
I know my employer reduces access to company systems for any employees who are physically located in Russia or China, even temporarily. The risk of government agents coercing these employees to log in and download stuff is seen as too great, I guess. I'm not aware of any special monitoring for folks located in the US who happen to have Chinese citizenship. They probably get the same scrutiny as anyone else.

oldtoyota

  • Magnum Stache
  • ******
  • Posts: 3179
Re: Do American companies specifically keep tabs on their Chinese employees?
« Reply #16 on: August 03, 2019, 09:31:39 PM »
I imagine you could find someone of any ethnicity who would be willing to steal secrets for the right price.

True It is also true Russia and China have the money, experience and training to send spies here.

True, but my point was that they wouldn’t necessarily have to do anything as obvious as sending a national over to steal secrets, they could pay many people to do it. I don’t think targeting a specific nationality would solve the problem.

That is also true. Sadly, lots of examples exist of Americans who did just that.

Aelias

  • Bristles
  • ***
  • Posts: 427
Re: Do American companies specifically keep tabs on their Chinese employees?
« Reply #17 on: August 04, 2019, 09:00:02 AM »
This is why it makes sense to monitor everybody and every interaction with the systems.  It’s definitely possible someone can break into a company’s system on behalf of a foreign power.  But it’s way more likely you’ll get screwed by a dishonest or disgruntled employee or someone will stupidly leave the digital equivalent of the back door unlocked.  And that could be anyone.

Sibley

  • Walrus Stache
  • *******
  • Posts: 7428
  • Location: Northwest Indiana
Re: Do American companies specifically keep tabs on their Chinese employees?
« Reply #18 on: August 04, 2019, 04:49:29 PM »
Well, I can only speak for 2 companies. Neither of them specifically kept tabs on Chinese employees.

There were general IT controls (password, authorization to get access, etc) which were in place universally.

There were data security controls/policies in place as well, that everyone has to follow. The network was monitored for outgoing files, flashdrive use was restricted, etc.

There was no element of tracking by nationality. As needed, they may track a specific individual, but if that was happening HR was involved.