US probing Alibaba cloud unit for security risks: Sources

The Biden administration is reviewing e-commerce giant Alibaba’s cloud business to determine whether it poses a risk to the United States’ national security, according to three people briefed on the matter, as the government ramps up scrutiny of Chinese technology companies’ dealings with American firms.

The focus of the probe is on how the company stores US clients’ data, including personal information and intellectual property, and whether the Chinese government could gain access to it, the sources said. The potential for Beijing to disrupt access by US users to their information stored on Alibaba cloud is also a concern, one of the people said.

US regulators could ultimately choose to force the company to take measures to reduce the risks posed by the cloud business or prohibit Americans at home and abroad from using the service altogether. The US-listed shares of Alibaba fell nearly 3 percent before the market opened Tuesday and were last trading down just over 1 percent.

Former President Donald Trump’s Commerce Department was concerned about Alibaba’s cloud business, but the Biden administration launched the formal review after he took office in January, according to one of the three people and a former Trump administration official.

Alibaba’s US cloud business is small, with annual revenue of less than an estimated $50m, according to research firm Gartner Inc, but if regulators ultimately decide to block transactions between American firms and Alibaba Cloud, it would damage the bottom line of one of the company’s most promising businesses and deal a blow to the company’s reputation as a whole.

A Commerce Department spokesperson said the agency does not comment on the “existence or non-existence of transaction reviews”. The Chinese Embassy in Washington did not respond to a request for comment.

Alibaba declined to comment. It did flag similar concerns about operating in the US in its most recent annual report, saying US companies that have contracts with Alibaba “may be prohibited from continuing to do business with us, including performing their obligations under agreements involving our…cloud services”.

United States President Joe Biden has placed restrictions on Chinese companies [File: Kevin Lamarque/Reuters]

The probe into Alibaba’s cloud business is being led by a small office within the Commerce Department known as the Office of Intelligence and Security. It was created by the Trump administration to wield broad new powers to ban or restrict transactions between US firms and internet, telecom and tech companies from “foreign adversary” nations like China, Russia, Cuba, Iran, North Korea, and Venezuela.

The office has been particularly focused on Chinese cloud providers, one of the sources said, amid growing concern over the potential for data theft and access disruption by Beijing.

The Trump administration issued a warning in August 2020 against Chinese cloud providers including Alibaba, “to prevent US citizens’ most sensitive personal information and our businesses’ most valuable intellectual property…from being stored and processed on cloud-based systems accessible to our foreign adversaries”.

Cloud servers are also seen as ripe for hackers to launch cyber attacks because they can conceal the origin of the attack and offer access to a vast array of client networks.

While there are scant public cases of the Chinese government compelling a tech company to turn over sensitive customer data, indictments of Chinese hackers reveal their use of cloud servers to gain access to private information.

For example, hackers connected to the Chinese Ministry of State Security penetrated HPE’s cloud computing service and used it as a launch pad to attack customers, plundering reams of corporate and government secrets for years in what US prosecutors say was an effort to boost Chinese economic interests.

Alibaba, the world’s fourth-largest cloud provider according to research firm Canalys, has about four million customers and describes its cloud business as its “second pillar of growth”. It saw a 50 percent rise in revenue to $9.2bn in 2020, though the division accounts for just 8 percent of overall sales.

It has boasted business relationships with units of top US companies including Ford Motor Co, IBM’s Red Hat, and Hewlett Packard Enterprise, according to press releases.

Investment and export curbs

While the sweeping Trump era powers don’t cover foreign subsidiaries of US companies, US regulators have previously found ways to link them to their US parent companies, which can, in turn, be subject to restrictions.

Before tech tensions between the United States and China started to boil, Alibaba had big ambitions for its US cloud business. In 2015, it launched a cloud computing hub in Silicon Valley — its first outside of China — with plans to compete with Amazon.com Inc, Microsoft Corp and Alphabet Inc’s Google. It later added additional data centres there and in Virginia.

A person familiar with the matter says the company scaled back its US gambit during Trump’s presidency as tensions with China escalated.

In 2018, US authorities blocked a bid by Alibaba affiliate Ant Financial, now Ant Group, to acquire US money transfer company MoneyGram International Inc over national security concerns. But a move to put Ant Group on a trade blacklist failed and an executive order banning its mobile payment app Alipay was revoked by Biden.

Biden, like Trump, has placed increasing restrictions on Chinese companies. Last month, the US government put investment and export curbs on dozens of Chinese firms, including top drone maker DJI, accusing them of complicity in the oppression of China’s Uyghur minority or helping the military.