Bitcoin Mining Is Big in China. Why Investors Should Worry.

Critics of the nearly ubiquitous digital currency Bitcoin often focus on its environmental consequences. After Tesla announced recently that it had bought roughly US$1.5 billion in Bitcoin, sending the cryptocurrency’s value skyrocketing, sustainability investors decried the “level of carbon dioxide emissions generated from Bitcoin mining.” Certainly, “mining”—the energy-intensive process by which computers solve complex algorithmic problems to verify blockchain transactions, for which they’re rewarded in digital currency—is an undeniable environmental offender.

But there is another worrying aspect of Bitcoin, one that should make investors think twice about including it as part of an ethical investing strategy.

A large amount of new Bitcoin comes from Xinjiang, the region in northwest China where more than a million Uighur Muslims and other minorities have been imprisoned in concentration camps. According to the Cambridge Bitcoin Electricity Consumption Index, as of April 2020, China was responsible for 65% of all Bitcoin mining. And of that, 36% takes place in Xinjiang, the largest regional component. Why? Cheap coal means cheap energy to power the machines that mine Bitcoin. Xinjiang has an abundant supply of coal, and the region’s relative remoteness means that it’s far cheaper to use the resource locally than move it to other parts of China. The issue is not that the Chinese government uses forced labour in Xinjiang coal mines—the reporting on that is inconclusive. Rather, because of the atrocities occurring in Xinjiang, any product produced there brings with it high ethical and regulatory risk.

In the camps—which Beijing calls “vocational educational and training centres”—guards try to “deradicalise” Uighurs for crimes such as wearing long dresses, abstaining from pork or alcohol, or praying. While the difficulty of reporting in the region means that concrete evidence is scarce, camp survivors have described systemic torture, forced sterilization, and rape. (Beijing denies committing atrocities.) In January, right before leaving office, Secretary of State Mike Pompeo declared that Beijing was committing “genocide” in the region. His successor, Antony Blinken, agrees.

To summarize: Roughly 20% of new Bitcoin is mined in Xinjiang, the site of some of the world’s most egregious human-rights abuses.

Today, Bitcoin’s association with Xinjiang is barely discussed. But that may change. For public-facing funds considering investing in the notoriously volatile asset, there are two other risks to consider. The first is that because of the concern among the American public about human-rights abuses in Xinjiang, holding assets tied to the region comes at the risk of a public relations disaster.

Already, activists have criticised Olympic sponsors for participating in the “genocide Olympics”—the 2022 Beijing Winter Games. Multiyear campaigns to hive Xinjiang off from the global supply chain are already well under way.

In July, more than 190 organizations, including the AFL-CIO, called for clothing brands to end all sourcing from Xinjiang within the next 12 months. (In 2020, roughly 20% of the world’s cotton came from Xinjiang.) It’s not hard to imagine Bitcoin becoming another frontier in their campaigns.

Investors should be alert for regulatory action. Bitcoin’s Xinjiang relationship gives ammunition to those in the U.S. government who may want to further monitor or restrict the transactions. Analysts expect the Biden administration to pay close attention to Bitcoin. In mid-February, Treasury Secretary Janet Yellen criticised the “misuse” of cryptocurrencies in laundering money or funding terrorism. At the same time, Bitcoin’s Xinjiang connection could put it on the radar of the various arms of the Commerce, State, and Defense departments that are seeking to reduce U.S. dependence on physical and digital Chinese goods. If this trend intensifies, the Treasury Department could sanction the Bitcoin mining firms that have large operations in Xinjiang, or issue advisories that it is “studying” Bitcoin’s links to the region—signalling to global financial institutions another risk of holding the cryptocurrency.

In January, U.S. Customs banned the imports of Xinjiang cotton and tomato products and told U.S. companies to get forced labour out of their supply chains. Extricating Bitcoin from Xinjiang could be far more difficult. Unlike, say, blood diamonds or Iranian crude oil, Bitcoins exist only digitally. While there is a public record of the billions of Bitcoin transactions, it’s exceedingly complicated to determine the geographic origin of a particular Bitcoin. That means all Bitcoin holders can deny any connection to human-rights abuses—but also risk being tarnished by the association.

It has long been ironic that Bitcoin, developed to decentralize power, is so dependent on China, a country ruled by a government obsessed with centralizing it. But depending on China is one thing. Depending on Xinjiang is another. There are many excellent ethical and regulatory reasons not to buy Bitcoin. Add Xinjiang to that list.

Isaac Stone Fish is the CEO and founder of Strategy Risks, a firm that quantifies corporate exposure to China.>

As tech leaders race to bring Windows systems back online after Friday’s software update by cybersecurity company CrowdStrike crashed around 8.5 million machines worldwide, experts share with CIO Journal their takeaways for preparing for the next major information technology outage.

Be familiar with how vendors develop, test and release their software

IT leaders should hold vendors deeply integrated within IT systems, such as CrowdStrike , to a “very high standard” of development, release quality and assurance, said Neil MacDonald , a Gartner vice president.

“Any security vendor has a responsibility to do extensive regression testing on all versions of Windows before an update is rolled out,” he said.

That involves asking existing vendors to explain how they write software, what testing they do and whether customers may choose how quickly to roll out an update.

“Incidents like this remind all of us in the CIO community of the importance of ensuring availability, reliability and security by prioritizing guardrails such as deployment and testing procedures and practices,” said Amy Farrow, chief information officer of IT automation and security company Infoblox.

Re-evaluate how your firm accepts software updates from ‘trusted’ vendors

While automatically accepting software updates has become the norm—and a recommended security practice—the CrowdStrike outage is a reminder to take a pause, some CIOs said.

“We still should be doing the full testing of packages and upgrades and new features,” said Paul Davis, a field chief information security officer at software development platform maker JFrog . undefined undefined Though it’s not feasible to test every update, especially for as many as hundreds of software vendors, Davis said he makes it a priority to test software patches according to their potential severity and size.

Automation, and maybe even artificial intelligence-based IT tools, can help.

“Humans are not very good at catching errors in thousands of lines of code,” said Jack Hidary, chief executive of AI and quantum company SandboxAQ. “We need AI trained to look for the interdependence of new software updates with the existing stack of software.”

Develop a disaster recovery plan

An incident rendering Windows computers unusable is similar to a natural disaster with systems knocked offline, said Gartner’s MacDonald. That’s why businesses should consider natural disaster recovery plans for maintaining the resiliency of their operations.

One way to do that is to set up a “clean room,” or an environment isolated from other systems, to use to bring critical systems back online, according to Chirag Mehta, a cybersecurity analyst at Constellation Research.

Businesses should also hold tabletop exercises to simulate risk scenarios, including IT outages and potential cyber threats, Mehta said.

Companies that back up data regularly were likely less impacted by the CrowdStrike outage, according to Victor Zyamzin, chief business officer of security company Qrator Labs. “Another suggestion for companies, and we’ve been saying that again and again for decades, is that you should have some backup procedure applied, running and regularly tested,” he said.

Review vendor and insurance contracts

For any vendor with a significant impact on company operations , MacDonald said companies can review their contracts and look for clauses indicating the vendors must provide reliable and stable software.

“That’s where you may have an advantage to say, if an update causes an outage, is there a clause in the contract that would cover that?” he said.

If it doesn’t, tech leaders can aim to negotiate a discount serving as a form of compensation at renewal time, MacDonald added.

The outage also highlights the importance of insurance in providing companies with bottom-line protection against cyber risks, said Peter Halprin, a partner with law firm Haynes Boone focused on cyber insurance.

This coverage can include protection against business income losses, such as those associated with an outage, whether caused by the insured company or a service provider, Halprin said.

Weigh the advantages and disadvantages of the various platforms

The CrowdStrike update affected only devices running Microsoft Windows-based systems , prompting fresh questions over whether enterprises should rely on Windows computers.

CrowdStrike runs on Windows devices through access to the kernel, the part of an operating system containing a computer’s core functions. That’s not the same for Apple ’s Mac operating system and Linux, which don’t allow the same level of access, said Mehta.

Some businesses have converted to Chromebooks , simple laptops developed by Alphabet -owned Google that run on the Chrome operating system . “Not all of them require deeper access to things,” Mehta said. “What are you doing on your laptop that actually requires Windows?”