Comparative Risk Assessment
How Chinese model risk compares to US open-weight, closed API, and custom-trained alternatives.
Extracted from the comprehensive scenario and risk analysis. Full document: ../104-research-scenario-walkthroughs/attack-scenarios-and-comparative-risk.md
1. Chinese Open-Weight vs. US Open-Weight Models
Risk Comparison Matrix
| Risk Dimension | Chinese (Qwen/DeepSeek) | US (Llama/Mistral) | Delta |
|---|---|---|---|
| State-directed backdoor | PLAUSIBLE (legal + strategic incentive) | SPECULATIVE (no known incentive) | Meaningful gap |
| Training data poisoning | PLAUSIBLE | PLAUSIBLE (by any adversary) | Narrow gap |
| Systematic output bias | PROVEN (on CCP topics) | PROVEN (different biases) | Moderate gap (Chinese bias is adversary-aligned) |
| Supply chain compromise | PLAUSIBLE | PLAUSIBLE | No gap |
| Jailbreak susceptibility | PROVEN (higher rates) | PROVEN (lower rates) | Moderate gap |
| Transparency of training | Low | Moderate | Moderate gap |
China-Specific Risk Factors
- Legal obligation: National Intelligence Law (2017), Article 7 — compels cooperation with state intelligence. No equivalent for Meta/Mistral. [PROVEN — enacted law]
- Demonstrated censorship alignment: Overt on CCP-sensitive topics. [PROVEN]
- Strategic motivation: Documented state-level AI-enabled intelligence strategy. [PROVEN]
- Lower security baseline: DeepSeek database exposure (Wiz, January 2025). [PROVEN]
Why the Gap Is Narrower Than Assumed
- Training data poisoning affects ALL models trained on web-scraped data. Carlini et al. (2023) demonstrated practical web-scale data poisoning. [PROVEN mechanism]
- No model has been publicly demonstrated to contain a state-planted backdoor. [Documented absence]
- Supply chain risks are equivalent for any Hugging Face download. [PROVEN]
2. Open-Weight vs. Closed API Models (OpenAI, Anthropic)
Trust Assumptions with Closed APIs
| Risk | Description | Evidence |
|---|---|---|
| Data exposure to provider | All inputs visible to API provider | PROVEN (by architecture) |
| Government compulsion (US) | FISA, NSLs could compel data sharing | PROVEN (legal mechanism) |
| Model behavior changes | Provider can change model without notice | PROVEN (documented) |
| No auditability | Cannot inspect weights or training | PROVEN (by design) |
The Paradox
For defense use, closed API models have a fundamentally different risk profile, not a lower one. You trade model-compromise risk for data-exposure risk. For CUI or above, local deployment of an inspectable model is preferable despite model-integrity risks.
3. Custom-Trained Models on Controlled Data
| Approach | Cost (est.) | Timeline | Capability |
|---|---|---|---|
| Train from scratch (>70B) | $10M-$100M+ | 6-12 months | State-of-the-art |
| Train from scratch (7-13B) | $500K-$5M | 2-6 months | Moderate |
| Fine-tune US open-weight base | $10K-$500K | 1-4 weeks | Good |
| Distill from multiple teachers | $50K-$1M | 1-3 months | Good |
Residual risks: Training data contamination, framework/toolchain compromise, unintended biases, capability limitations creating pressure to supplement with pre-trained models.
Practical approach: Start from US open-weight base (Llama), fine-tune on controlled data, implement defense-in-depth monitoring.
4. The Fundamental Question
Is this about Chinese models specifically, or about any model you didn’t train?
The Honest Answer: Mostly the latter, with a meaningful increment for Chinese origin.
Origin-agnostic risks (70-80% of threat surface):
- Training data poisoning
- Unknown RLHF biases
- Supply chain compromise
- Unauditable weight-level behaviors
- Prompt injection vulnerability
China-specific increment (additional 20-30%):
- Legal compulsion under National Intelligence Law
- Demonstrated willingness to embed CCP-aligned censorship
- Strategic intelligence collection incentive
- Lower baseline security practices
- Active intelligence posture against US defense targets
Marginal Risk Multiplier
| Use Case | Multiplier | Rationale |
|---|---|---|
| Technical tasks (code, formatting), no tools | ~1.2-1.3x | Low sensitivity, limited attack surface |
| Analytical tasks on sensitive topics, with tools | ~1.5-2.0x | High sensitivity, broad attack surface |
| Compliance/regulatory contexts | Effectively infinite | De facto prohibition regardless of technical risk |
Government Actions (as of early 2025)
| Entity | Action | Basis |
|---|---|---|
| US Navy | Banned DeepSeek from government devices | Data security |
| NASA, Pentagon | Blocked DeepSeek access | Security review |
| Italy | Temporarily blocked DeepSeek app | GDPR/data privacy |
| Australia | Banned DeepSeek from government devices | Security concerns |
| Taiwan | Banned DeepSeek from government use | National security |
| South Korea | Blocked DeepSeek on government devices | Security concerns |
Key observation: Most bans target the API service (data flowing to Chinese servers), not local use of open weights.
References
- Carlini, N. et al. “Poisoning Web-Scale Training Datasets is Practical.” IEEE S&P, 2023.
- China National Intelligence Law (2017), Article 7.
- Wiz Research. “Exposed DeepSeek Database.” January 2025.
- ODNI Annual Threat Assessment, 2024-2025.