New cyber security laws could put further strain on foreign companies in China
Security

New cyber security laws could put further strain on foreign companies in China

Life's getting tougher for foreign firms operating inside China. The canary down the mine here is Apple, which lowered its Q1 guidance in early January after blaming "economic deceleration" there and the ongoing Sino-US trade war. Yet the latter is just one part of a much bigger tectonic shift in how the two superpowers treat each other. At the centre of this evolution is a renewed focus on the protection of national security — or at least the pretence of doing so. That's why the US has been on a mission to convince its allies to ban Huawei from 5G infrastructure projects.

Excluding Chinese firms from sensitive deployments is one thing. But what about the risk to multi-nationals and their customers posed by their operations in the Middle Kingdom? New cyber security laws could make it much easier for the Chinese authorities to censor, spy on, and take sensitive data from the networks of such firms.

Under inspection

The problem here relates to updates to the notorious 2017 Cybersecurity Law. Analysts have told me in the past that the law gives the authorities the power to conduct ‘national security reviews' into a broad range of critical infrastructure firms operating in China. In so doing, they would be able to extract source code and vital info on vulnerabilities in such firms, which could be used by state spies in offensive cyber campaigns.

The new provisions, titled Regulations on Internet Security Supervision and Inspection by Public Security Organs (公安机关互联网安全监督检查规定), build on this to give sweeping new powers to the Ministry of Public Security (MPS). According to a new report from Recorded Future, these powers include:

  • Conducting remote and on-site inspections of any firm with five or more internet-connected computers, which means virtually every foreign company in China
  • Checking for system vulnerabilities, copying user information and checking security response plans during on-site inspections
  • The ability to probe for vulnerabilities in remote inspections. These inspections are not bound by time or limited by scope, meaning they could be used to access parts of the business not linked to Chinese operations. Nor are investigators mandated to notify the company of their findings
  • For remote inspections, the MPS can involve third-party "cybersecurity service agencies", which Recorded Future believes may increasing the chances of vulnerability discovery and the risk of data leaks
  • MPS is also empowered to enforce China's prohibited content laws under these ‘cyber security' provisions, effectively allowing it to monitor for censorship compliance

A chilling impact

As per the original Cybersecurity Law, China will argue that these provisions are needed to mitigate the growing cyber risks that face all organisations today. It will, no doubt, point in particular to the need to mitigate the risk from US hacking operations, which Edward Snowden revealed are conducted both with and without the knowledge of US companies. However, the law and this new update use legitimate national security and data protection concerns as cover to plunge the hand of the state ever further into corporate data and systems.

To continue reading...


PREVIOUS ARTICLE

« Twenty years of service: how Salesforce.com changed the technology landscape

NEXT ARTICLE

How big data and AI are helping Mexican farmers boost crop yield »
author_image
Phil Muncaster

Phil Muncaster has been writing about technology since joining IT Week as a reporter in 2005. After leaving his post as news editor of online site V3 in 2012, Phil spent over two years covering the Asian tech scene from his base in Hong Kong. Now back in London, he always has one eye on what's happening out East.

  • twt
  • Mail

Poll

Do you think your smartphone is making you a workaholic?