An official website of the United States government

Official websites use .gov

A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS

A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

You are viewing ARCHIVED CONTENT released online from January 20, 2017 to January 20, 2021.

Content in this archive site is NOT UPDATED, and links may not function.

For current information, go to

As prepared

Good afternoon.  Thank you for the chance to talk, and to Matt Bunn for his kind introduction.  It’s been quite a while since I’ve done a Belfer Center event – and a great deal longer still since the days in which I spent a great deal of my time hanging out at the Kennedy School, at Belfer and at the Institute of Politics, when I was undergraduate policy wonk like I imagine are some of you on this link.  So let me start by saying that it’s great to be back, even if “back” still just means sitting in front of a computer on a video link. 

Anyway, I’m very much looking forward to our discussion today, and after my prepared remarks, I’d be happy to take questions about anything that might happen to interest you related to the corner of the State Department that its been my privilege to oversee for the last 13 or 14 months while performing the duties of the Under Secretary for Arms Control and International Security.  So feel free to range as broadly as you like in your questions, and in return I’ll try to be as forthcoming as I can. 

I’d like, however, to begin by talking briefly about an issue to which we are trying to draw more and more attention, and which I term “technology transfer de-risking,” or “T2D.”  

On one level, I don’t think this concept is particularly novel.  It represents what seems to me to be a pretty common-sense application of “de-risking” principles that are well established elsewhere to a new, emerging policy arena of obvious importance.  But I should probably begin by describing what I mean when I talk about “de-risking” in the first place. 

If you’ve heard of “de-risking” in the context of private sector economic activity, it’s probably in the context of anti-money-laundering compliance.  In the “AML” world, it’s been commonplace for some time for companies and financial institutions to avoid engagement with customers or activities where they decide that it’s not really feasible to manage the risk presented by any given business relationship.  In AML, for instance, firms may adopt various strategies up to and including to terminating or exiting relationships with particular high-risk customers – such as certain foreign correspondent banks, money service businesses, or embassies – where these entities are simply too likely to be involved in money laundering to make doing business with them worthwhile. 

But while it’s best known in the money-laundering world, the concept of “de-risking” is one that has broader applicability.  In fact, “de-risking” is used in various different fields.   

Generally, it denotes the avoidance of a risk through avoidance of the activity that brings that risk.  As explained by the Financial Action Task Force – an inter-governmental body that has served as a standards-setting, global money-laundering and terrorist financing watchdog since 1989 – “de-risking”

“refers to the phenomenon of financial institutions terminating or restricting business relationships with clients or categories of clients to avoid, rather than manage, risk …. De-risking can be the result of various drivers, such as concerns about profitability, prudential requirements, anxiety after the global financial crisis, and reputational risk.  It is a misconception to characterise de-risking exclusively as an anti-money laundering issue.”

Of course, it does not make sense to require terminating, or even restricting, every activity that carries a risk.  Nor does it make sense for policymakers to push financial and commercial actors toward a de-risking approach where no vital policy goal is involved or where de-risking is not the best way to pursue such a goal.  So careful assessment of benefits and risks is clearly necessary here.  Some activities, though carrying risk, are best continued with risk mitigation measures in place as safeguards, rather than being curtailed altogether.  

But with respect to certain activities in certain areas where especially problematic actors are involved, or where circumstances otherwise make risk mitigation unfeasible, restriction and even avoidance become much more sensible.  Thus, though we do not wish to see important goods and services withheld from whole countries or communities under an indiscriminate de-risking approach, de-risking is never off the table altogether.  These concepts can be, and are, applied in a range of issue areas. 

As the guy who’s been running the State Department’s Bureau of International Security and Nonproliferation for the last three years, let me give nonproliferation as an example.  With the increased emphasis the international community has placed upon nonproliferation in the last two decades, nonproliferation de-risking has emerged as a growing area.   

Numerous U.N. Security Council resolutions (UNSCRs) adopted pursuant to Chapter VII of the United Nations Charter, for instance, now require all U.N. Member States to impose sweeping sanctions against North Korea on account of its weapons of mass destruction (WMD) programs.  Broad nuclear-related sanctions against Iran have also now come back into force pursuant to the terms of UNSCR 2231 (2015).  Additionally, UNSCR 1540 has since 2004 required all U.N. Member States to refrain from providing any form of support to non-State actors that attempt to develop, acquire, manufacture, possess, transport, transfer, or use nuclear, chemical or biological weapons, or their means of delivery.  In short, de-risking over the past two decades has joined the nonproliferation toolkit. 

As both international rules and an expanding corpus of domestic law have grown up in this area – including robust efforts by U.S. authorities to respond to sanctions evasion, and a broad range of independent penalties imposed under national sanctions authorities – it is increasingly common for financial and commercial due diligence to include attention to nonproliferation equities, for reasons not merely of legal risk but also of reputational harm.   

But “de-risking” policies and practices are not limited solely to violations of nonproliferation sanctions, where heavy penalties can lie in wait for those who do not do enough to avoid facilitating abuses by their clients and customers.  Attention is also increasingly being paid to de-risking where the potential for direct harm to private sector actors is largely reputational, such as where specific activities or commodities are likely to implicate them in unsavory things such as labor and human rights abuses committed by their commercial counterparties overseas.    

“De-risking” can thus be seen as part of a spectrum of available responses through which commercial and financial actors take prudential steps to partially or wholly protect themselves and their investors against various types of harm that can inadvertently result from the policy externalities created by incautious business decisions.  This could include, for example, things such as facilitating international drug trafficking, WMD proliferation, or human rights abuses.   

I’d like to argue that this kind of due diligence thinking should also be extended to involvement with commercial or other entities from the People’s Republic of China (PRC) that are involved in problematic activity, with particular attention to the risks of technology diversion to military applications. 

So why do I suggest that engagements with PRC entities are so risky?   

Well, to begin with, even before taking technology diversion national security issues into account, it’s worth remembering that commercial dealings with and investments in the PRC are in some ways inherently risky.  This is unfortunately already quite clear.  U.S. financial regulators, for instance, have warned that corporate stock offerings, financial prospectuses, and other instruments coming out of China involve “substantially greater risk that disclosures will be incomplete or misleading and, in the event of investor harm, [there will be] substantially less access to recourse.”  PRC environmental and labor standards are notoriously poor, and even high-profile sectors such as nuclear reactor safety regulation take shortcuts in the name of sectoral expansion in order to meet government growth targets.  Intellectual property theft from foreign commercial counterparties has also been routinized — even where sweeping technology transfers were already required under Chinese law — pursuant to government policies explicitly devoted to helping PRC “national champion” firms take over every significant economic and technological sector from their Western competition. 

And this isn’t just an accident.  Such institutionalized untrustworthiness is actually an inescapable, structural part of the PRC’s system of governance.  The totalizing nature of the Chinese Communist Party’s (CCP’s) authority all but preordains this, for the PRC is a system that precludes true fidelity to the rule of law almost by definition, since national law is merely a creation and instrument of the state, whereas in China the state itself belongs to and works for the Communist Party, which is itself subject to literally no legal check unless (and only for so long as) it chooses to be.   

This problem is worsened by the CCP’s own antidemocratic legitimacy narrative, which all but requires the institutionalization of dishonesty.  The CCP rejects democratic accountability to the Chinese people in large part upon the implied or explicit assertion that in return for the Party’s absolute power, the CCP’s subjects at least live under a collective leadership that is supposedly always correct and always looking out for the best interests of the country.   In this context — and for a ruling Party that cannot really evade responsibility for anything in China because its absolutism gives it power to do just about anything if it really wants to — it is hardly surprising that the CCP is extraordinarily sensitive about its reputation, and has become notorious not merely for falsifying its own bloody history and record in power, but also for routinely covering up abuses, corruption, and ineptitude on an industrial scale.  It’s internal legitimacy narrative, purporting to justify authoritarianism, basically requires the suppression of unfavorable information.  No wonder Western financial regulators warn us not to place too much faith in documents associated with Chinese stock offerings and financial prospectuses. 

But these problems are not new, and Western financial and corporate interests were long willing to suffer under such conditions of opacity and unfairness in return for the short-term profits offered during the PRC’s last generation of export-led growth.  As the West has begun to wake up to the problems created by such facilitation of the “rise” of an increasingly militarized and brutally authoritarian state that sees its own destiny as that of reorganizing the global system around itself, however, the full implications of incautious involvement with the PRC are becoming much more clear.    

The United States has of late been increasingly willing to move against Chinese entities that are engaged in or support some of the more horrific aspects of CCP policy.    

Nor is the question limited simply to dealings with PRC firms in China itself, for the myriad security and policy risks of any entanglement with the PRC’s technology giants – even abroad – are also becoming increasingly clear.  Foreign entities engaging with certain PRC entities risk user data theft, espionage, vulnerability to cyber criminals, complicity in the human rights abuses of the CCP surveillance state, and risk of strategic and political manipulation from Beijing.   

This growing understanding of the risks of involvement with PRC firms such as Huawei – but hardly limited only to that firm and its aggressively symbiotic and collaboratively instrumental relationship with CCP power and global ambition – has prompted leading Western governments such as Germany, France, Japan, Sweden, the United States, and the United Kingdom to impose ever more effective restrictions upon efforts by such firms to take over 5G telecommunications infrastructures around the globe, in some cases simply leading to outright bans on Huawei.  This is important from a de-risking perspective, since with each step drawing attention to such dangers and increasing the consequences associated with companies’ support for or facilitation of provocative PRC policies and activities, Western firms need ever more carefully to consider the dangers inherent in doing business with such PRC entities, especially high-tech ones.    

So the de-risking challenges associated with the CCP’s domestic totalitarianism and the PRC’s destabilizing geopolitical revisionism are steadily growing.  As awareness increases of these problems, moreover, so too do the potential legal, market, and reputational harms that can arise for Western private sector actors from their imprudent entanglement with the CCP Party-State.    

And indeed, much of this seems to be underway.  In one example – prompted by growing attention being given to the CCP’s ongoing campaign of repression against Uyghurs, ethnic Kazakhs, ethnic Kyrgyz, and other ethnic and religious minorities in Xinjiang, including the horrific mass detention of more than one million persons, torture, forced labor, coercive family planning (including forced abortion and forced sterilization), sexual assault, and attempts to “Sinicize” exercise of the Islamic faith – Western companies have quite properly begun trying to dissociate themselves from PRC supply chains in the textile sector that might be tainted by forced labor in Xinjiang.  Such dis-entanglement seems likely to occur across an ever-broader range of issue areas. 

So this is where T2D comes in, for in the technology arena there are additional risks that deserve attention from private commercial and financial actors.  In particular, there is real risk arising from the PRC’s ongoing and systematic effort to acquire cutting-edge Western technology  and to divert it to the People’s Liberation Army (PLA) and the Chinese security services in support of the CCP’s destabilizing geopolitical revisionism and hegemonic ambition.   

This is a favorite topic of mine, and a threat about which I have been warning publicly since at least July 2018.  Simply put, the PRC’s strategy of “Military-Civil Fusion” (MCF) presents a significant national security threat to all the nations of the democratic world, as well as an ongoing challenge for any possessor of cutting-edge technology that engages with any person or entity subject to PRC jurisdiction.   

Irrespective of any end-use commitments or other promises that may have been given, under Chinese law no person or entity subject to PRC jurisdiction can refuse cooperation if the authorities request access to any technology to which that person or entity has access.  Nor is there any legal recourse against such commands, for in the CCP’s China, the law is itself merely a tool of the Party.  As noted above, this is simply a fact of life in modern China under the extra-legal – or perhaps, more accurately, supra-legal – set of coercive tools available to the CCP.  To be sure, 

Chinese companies or nationals clearly do not always, or necessarily even usually, act as de facto extensions of the CCP and do its bidding as functional appendages of the Chinese police state.  Nevertheless, the CCP and the PRC government apparatus it controls — for, with apologies to Voltaire, who made a similar point about the relationship between 18th Century Prussia and its army, while most states have political parties, the Chinese Communist Party quite literally has its own state — enjoy extraordinary powers to coerce and to co-opt essentially anyone, if the Party chooses to exert itself in such a fashion.”   

From the point of view of technology-possessors in the non-PRC world, therefore, there is literally no way to be entirely sure that a militarily useful technology, if transferred into PRC hands, will not be diverted to the PLA or the security services.  Since the entire MCF bureaucracy exists precisely in order to carry out such transfers, moreover, one has to assume that such transfer probably will occur.   

As a result, any physical or informational transfer of militarily-useful technology, especially at or near the cutting edge of what is presently possible – not to mention transfers related to foundational and emerging technologies – must be presumed to be problematic.  As the CCP regime’s oppressive, technology-facilitated totalitarianism at home and destabilizing arrogance and aggressiveness abroad both grow, these facts must necessarily be taken into account in engagements with the PRC technology sector.  Otherwise, “ordinary” commercial transfers and transactions contribute to extraordinary problems that have global implications. 

This does not mean, of course, that we should – or could – impose a full-scope blockade on absolutely anything that might conceivably have military utility.  In a world as interconnected as is our own, we are necessarily primarily in the business of risk mitigation rather than complete risk avoidance.  But it is also clearly the case that much more care and caution is needed in engagements with the PRC technology sector in order to avoid transfers of those technologies explicitly sought by the MCF system – such as artificial intelligence, quantum computing, “hot section” aviation engine technology, high-end semiconductor manufacturing technology, nuclear reactor technology, and Big Data analytics.  And much more care and caution is needed in order to avoid involvement with PRC entities that support this system.  This makes T2D of growing importance. 

In the U.S. Government, we have been working to respond to these challenges, beginning with our revision of national security export control policy on civil-nuclear cooperation in October 2018, and more recently with changes in semiconductor design tool licensing, visa screening, and Hong Kong-related export rules, as well as the addition of key PRC technology companies to the Commerce Department’s “Entity List.”  Additionally, we are now revising our rules for screening foreign investments in the United States, and how we handle export control rules vis-à-vis foundational and emerging technologies.   

Because technology engagements with the PRC can clearly entail significant reputational, policy, and potentially legal risks, however, it is also now necessary for the private sector to pay more attention to technology-transfer de-risking, particularly (though not exclusively) with regard to engagements with the PRC and its MCF apparatus.  We are still in the early days of the development of T2D as an area of specialized expertise, but already it is becoming increasingly possible to conduct “know your customer” (KYC) due diligence that can reduce the risk of inadvertent support for or subsidization of the PLA or the Chinese security services.   

Open-source information, including some very comprehensive analyses by scholars and think tanks, is today making it more and more practical to identify PRC entities that have at least an overt affiliation with the MCF system.  Since this is a cooperative challenge, moreover, we in government are ourselves working to make more T2D-relevant information available as well.  

Private technology-holders necessarily have a good feel for the nature of their own technologies, and therefore also for these technologies’ potential implications in malevolent hands.  Now that the threat of dangerous technology diversion is so widely known – and is indeed now being comprehensively publicized through various organs of the U.S. Government, even as we step up measures designed to prevent and to address such activity – private companies have both the opportunity and a clear need to think through de-risking in a new way, to help protect themselves from the multiple risks involved.   

This is a new area, and despite its importance is still only an emerging sub-specialization within the well-established arena of corporate due diligence.  Nevertheless, T2D is a topic of increasing salience, and one should expect to see more work being done in this field.

U.S. Department of State

The Lessons of 1989: Freedom and Our Future