The Institute for Critical Infrastructure Technology’s (ICIT) publication “Did China Just Legalize Espionage?: Recent Provisions to Chinese Law Increases Risk to Multinational Organizations Operating in China” details how recent changes to China’s 2017 National Cybersecurity Law pose a significant risks to data, operations, and satellite branches in China by empowering Chinese authorities to inspect or remotely conduct penetration tests on the systems and networks of any business with at least five internet-connected computers that operate in China.
Under the new system, the Ministry of Public Security (MPS) has the power to:
- Conduct in-person or remote inspections of the network security defenses taken by companies operating in China.
- Perform remote inspections without informing companies.
- Perform penetration tests to check for vulnerabilities.
- Log security response plans during on-site inspections.
- Check for “prohibited content” banned inside China’s border.
- Copy any user information found on inspected systems during on-site or remote inspections.
- Share any collected data with other state agencies.
- Have two members of the People’s Armed Police (PAP) present during on-site inspection to enforce procedures.
Essentially, Chinese authorities have unfettered access to any systems operating in China and to any data stored on those networks, whether or not it is pertinent to operations within China. If an organization has a Chinese branch, then any data stored on their network can be “legally” copied, exfiltrated, and shared by Chinese authorities. Due to intentionally broad and vague language, this includes intellectual property (IP), customer PII, sensitive metadata, or any information that authorities deem relevant to their “inspection.”
Under Article 15 of the new provisions, MPS officers can enter almost any business premises, computer room, workplace, or company area related to networked systems to “check” computer systems for network security compliance. The officers can view or copy any information deemed “related to the inspection,” which includes, but is not necessarily limited to: any user information; technical network data; information security protection, hosting, or domain name information; and any content distributed by the organization. Since the Cybersecurity Law already permits authorities to inspect the source code of all applications operating within China, it is feasible that these in-person inspections could be vehicles to install malware or remotely accessible backdoors in sensitive corporate networks.
Under the new provisions, the MPS is legally permitted to conduct remote inspections and penetration tests with barely any notice to the company and without a defined scope. The MPS is allowed to involve third-party “cybersecurity service agencies” in the “inspections.” It is possible that during these operations, authorities could exfiltrate data, install malware, sabotage operations, or otherwise maliciously impact organizations with foreign origins. The MPS is not required to share any findings of its “inspections” with the company and is only required to get a supervisor’s signature for in-person operations.
The possibility of unlimited, unbounded “remote inspections” of international corporations presents a significant threat to consumers, corporations, and governments. International organizations in all sectors operating in China, including academia, healthcare, finance, energy, consulting, and critical manufacturing, and consumers alike are at greater risk of having their data held by the Chinese government and are at a significantly greater risk of third-party data breaches and Chinese government surveillance. The vague and remarkably broad articles of the new provision mean that at any time, any company operating in China could have its domestic or foreign networks compromised while its company IP, consumer PII, and other valuable data is “legally copied” and later shared with unspecified entities.
It would behoove organizations operating in China to fully understand the impact of these laws on their security posture based on their risk tolerance and make necessary changes to their network, office and facility strategies accordingly. Network segmentation, limiting operations within China, issuing significantly reduced access and privileges, minimizing system architecture, and other technical and non-technical measures may help to reduce the threat posed to international organizations by the recent provisions to China’s National Cybersecurity Law.
About the Author: Parham Eftekhari is the Executive Director of the Institute for Critical Infrastructure Technology (ICIT), the nation’s leading cybersecurity Think Tank. Combining 15 years of technology experience with a lifelong passion for leadership and community engagement, Parham is privileged to advise executives at some of the world’s top public and private sector organizations, build strategic alliances, and create thought leadership programs focused on national security and cybersecurity issues.
Parham Eftekhari is the Executive Director of the Institute for Critical Infrastructure Technology (ICIT), the nation’s leading cybersecurity Think Tank. Combining 15 years of technology experience with a lifelong passion for leadership and community engagement, Parham is privileged to advise executives at some of the world’s top public and private sector organizations, build strategic alliances, and create thought leadership programs focused on national security and cybersecurity issues.
Parham has developed or spoken at over 100 educational briefings and events at institutions including TEDx, Congress, the World Bank, and C-SPAN and regularly contributes to technology focused publications and the media. He is also the founder of CamPath Webcam Covers and was a co-founder of GTRA, which in its prime was one of Washington D.C.’s leading public-private sector executive collaboration organizations. Parham is fluent in French and Farsi.