China Is Stealing AI Secrets to Turbocharge Spying, U.S. Says

U.S. officials are worried about hacking and insider theft of AI secrets, which China has denied

On a July day in 2018, Xiaolang Zhang headed to the San Jose, Calif., airport to board a flight to Beijing. He had passed the checkpoint at Terminal B when his journey was abruptly cut short by federal agents.

After a tipoff by Apple’s security team, the former Apple employee was arrested and charged with stealing trade secrets related to the company’s autonomous-driving program.

It was a skirmish in a continuing shadow war between the U.S. and China for supremacy in artificial intelligence. The two rivals are seeking any advantage to jump ahead in mastering a technology with the potential to reshape economies, geopolitics and war.

Artificial intelligence has been on the Federal Bureau of Investigation’s list of critical U.S. technologies to protect, just as China placed it on a list of technologies it wanted its scientists to achieve breakthroughs on by 2025. China’s AI capabilities are already believed to be formidable, but U.S. intelligence authorities have lately made new warnings beyond the threat of intellectual-property theft.

Instead of just stealing trade secrets, the FBI and other agencies believe China could use AI to gather and stockpile data on Americans at a scale that was never before possible.

China has been linked to a number of significant thefts of personal data over the years, and artificial intelligence could be used as an “amplifier” to support further hacking operations, FBI Director Christopher Wray said, speaking at a press conference in Silicon Valley earlier this year.

“Now they are working to use AI to improve their already-massive hacking operations using our own technology against us,” Wray said.

China has denied engaging in hacking into U.S. networks. Chinese Foreign Ministry spokesman Wang Wenbin said this summer that the U.S. was the “biggest hacking empire and global cyber thief” in the world, in response to allegations that Beijing had hacked into the unclassified email systems of several top-level Biden administration officials. A spokesman at the Chinese Embassy in Washington didn’t respond to requests for comment.

In recent years, the FBI’s interest in protecting American innovations in the area has more squarely targeted manufacturers of chips powerful enough to process artificial-intelligence programs, rather than on artificial-intelligence companies themselves. Even if insiders or hackers were able to steal algorithms underpinning an advanced system today, that system could be obsolete and overtaken by larger advancements by other engineers in six months, several former U.S. officials said.

In 2022, the chip-manufacturing technology supplier Applied Materials sued a China-owned rival, Mattson Technology, alleging that a former Applied engineer stole trade secrets from Applied before leaving for Mattson. The case attracted the interest of federal prosecutors, although no criminal charges have been filed, according to people familiar with the matter.

Mattson hasn’t been contacted by any federal agency over the matter, and there is no evidence that any Applied information taken was ever used by Mattson, a company spokesman said. Mattson, based in Fremont, Calif., was acquired in 2016 by an investment arm of the city of Beijing, which currently owns about 45% of the company, the spokesman said.

The case remains in litigation. In November, Mattson sued Applied, claiming that engineers at Applied had applied for patents using intellectual property developed while they were working at Mattson.

Fears of how China could use AI have grown so acute over the past year that the FBI director and leaders of other Western intelligence agencies met in October with technology leaders in the field to discuss the issue.

Makers of AI technology are concerned about their secrets making their way to China, too, according to executives at these companies. Recently, OpenAI reached out to the FBI after a forensic investigation of a former employee’s laptop raised suspicions that the employee had taken company secrets to China, according to people familiar with the company. The employee was later exonerated, according to a person familiar with the matter.

U.S. intelligence analysts have worried for years about the long-tail espionage dividends that China is believed to be reaping from amassing enormous troves of hacked personal information belonging to American officials and business executives.

Over the past decade, Beijing has been linked to the hacks of hundreds of millions of customer records from Marriott International, the credit agency Equifax and the health insurer Anthem (now known as Elevance Health), among others, as well as more than 20 million personnel files on current and former U.S. government workers and their families from the Office of Personnel Management. The heists were so huge and frequent that Hillary Clinton, then a Democratic presidential candidate, accused China of “trying to hack into everything that doesn’t move.” China has denied responsibility for each of those heists.

China was so good at stealing private information—billions of pieces of data in all, according to U.S. officials, criminal indictments and cyber-threat researchers—that its hackers had likely collected too much of a good thing: an informational treasure trove so vast that humans would be incapable of locating the right patterns. Artificial intelligence, however, would have no such limitations.

Microsoft believes China is already using its AI capabilities to comb these vast data sets, said Brad Smith, the company’s president, in an interview with The Wall Street Journal.

“Initially the big question was did anyone, including the Chinese, have the capacity to use machine learning and fundamentally AI to federate these data sets and then use them for targeting,” he said. “In the last two years we’ve seen evidence that that, in fact, has happened.”

Smith cited the 2021 China-linked attack on tens of thousands of servers running Microsoft’s email software as an example. “We saw clear indications of very specific targeting,” he said. “I think we should assume that AI will be used to continue to refine and improve targeting, among other things.” Smith didn’t address the issue of AI technology being stolen by China.

In the 2018 case, the former Apple employee Zhang pleaded guilty to stealing trade secrets and is set to be sentenced in February. His plea agreement is under seal. Apple declined to comment.

U.S. authorities believe Chinese intelligence operatives are correlating sensitive information across the databases they have stolen over the years from OPM, health insurers and banks—including fingerprints, foreign contacts, financial debts and personal medical records—to locate and track undercover U.S. spies and pinpoint officials with security clearances. Passport information stolen in the Marriott hack could help spies monitor a government official’s travel, for example, counterintelligence analysts have said.

“China can harness AI to build a dossier on virtually every American, with details ranging from their health records to credit cards and from passport numbers to the names and addresses of their parents and children,” said Glenn Gerstell, a former general counsel at the National Security Agency. “Take those dossiers and add a few hundred thousand hackers working for the Chinese government, and we’ve got a scary potential national security threat.”

Although executives including Smith are concerned by the weaponization of AI, they point out that this technology can be used to spot and mitigate attacks, too.

“We believe that if we do our work well and we’re determined to do our work well, we can use AI as a more potent defensive shield than it can be used as an offensive weapon,” Smith said. “And that’s what we need to do.”