The recent raid [1] on the Shanghai offices of Bain & Company by Chinese authorities serves as a reminder that U.S. advisory firms operating in China face unique and high inherent risks due to the sensitive and strategic nature of the client data they possess and the tense geopolitical dynamics between the U.S. and China. With many of these firms’ clients being multinational corporations, the risks associated with their operations in China are of particular concern. The Bain & Company raid, which involved the seizure of computers and phones, comes amid an increasingly strained economic and political relationship between the U.S. and China. This is the second raid on a U.S. advisory firm in the last month, with Chinese authorities having previously raided the offices of the Mintz Group, detaining five Chinese nationals on suspicion of unlawful business operations. Additionally, China recently amended its espionage law, further increasing the exposure of these firms and their multinational clients to potential prosecution for spying.

Given these developments, it is important to conduct a sector risk analysis to understand the extent of the risks and identify the advisory firms that are most vulnerable. To aid in this effort, we decided to use ChatGPT to conduct a preliminary sector analysis. Figure 1 below shows the prompt and results of our analysis.

While the inherent risk for U.S. advisory firms operating in China is high, implementing stronger network security measures can serve as a potential control. According to the New York Times, “many global companies operating in China are taking steps to wall off their computer systems outside of China in order to limit the potential loss of trade secrets and other valuable data”. [1]

For larger entities that operate their own Autonomous System networks (ASN), a specific network control would be to secure upstream peering relationships and implement routing encryption (RPKI) in these networks. Among the companies listed earlier, McKinsey operates its own ASN in China. We previously highlighted this issue in a December 2019 post, [2] where we noted that McKinsey’s ASN had two Chinese telecommunications companies as upstream peers and was not implementing RPKI, making their ASN vulnerable to deep packet inspection by upstream peers. As shown in Figure 2 of the Hurricane Electric BGP toolkit, this network is still routing through two Chinese ASNs (lower right table) and has not implemented RPKI (middle left). [3]

Of the companies listed, most do not operate their own Autonomous System networks (ASN) in China. As shown in Figure 3, some of these advisory firms rely on Chinese hosting providers. To identify the Chinese domains of these firms hosted on Chinese networks, we can use DomainTools. [5] Column 1 lists the names of the U.S. advisory firms, while columns 2-6 show the Chinese networks where their domains are hosted.

To control for this risk, these companies should ensure that their data and communications are encrypted. If possible, they also switch to non-Chinese hosting and service providers to reduce their exposure to potential network risks.

Conclusions:  Advisory firms operating in China face high inherent risk. Some of these companies show indications of network risk which could be controlled through measures like securing upstream peering relationships and implementing routing encryption (RPKI).

As for using ChatGPT as a research and planning tool, it proved to be highly effective and efficient in providing a quick and concise sector analysis of U.S. advisory firms in China. While there were minor errors in the domain names for KPMG, it still outperformed traditional search methods.

P.S. Kudos for ChatGPT for editorial assistance! 

REFERENCES

1. NYTimes – U.S. Consulting Firm Is the Latest Target of a Chinese Crackdown, 27-April-2023. https://www.nytimes.com/2023/04/27/business/bain-china.html
2. Cybercrank.net – From Routing Risk to Cyber Sovereignty: A China Case. 27-Dec-2019 https://cybercrank.net/from-routing-risk-to-cyber-sovereignty-a-china-case-2/
3. Hurricane Electric: BGP – McKinsey, 27-April-2023:  https://bgp.he.net/search?search%5Bsearch%5D=McKinsey&commit=Search
4. Hurricane Electric: BGP – Bain, 27-April-2023 https://bgp.he.net/search?search%5Bsearch%5D=Bain&commit=Search
5. DomainTools – Iris Investigate. https://iris.domaintools.com/investigate/