New cyber security laws could put further strain on foreign companies in China

Amidst the ongoing US-China trade war, new Chinese laws may expose foreign firms to even more cyber security (and censorship) risks.

Life's getting tougher for foreign firms operating inside China. The canary down the mine here is Apple, which lowered its Q1 guidance in early January after blaming "economic deceleration" there and the ongoing Sino-US trade war. Yet the latter is just one part of a much bigger tectonic shift in how the two superpowers treat each other. At the centre of this evolution is a renewed focus on the protection of national security — or at least the pretence of doing so. That's why the US has been on a mission to convince its allies to ban Huawei from 5G infrastructure projects.

Excluding Chinese firms from sensitive deployments is one thing. But what about the risk to multi-nationals and their customers posed by their operations in the Middle Kingdom? New cyber security laws could make it much easier for the Chinese authorities to censor, spy on, and take sensitive data from the networks of such firms.

Under inspection

The problem here relates to updates to the notorious 2017 Cybersecurity Law. Analysts have told me in the past that the law gives the authorities the power to conduct ‘national security reviews' into a broad range of critical infrastructure firms operating in China. In so doing, they would be able to extract source code and vital info on vulnerabilities in such firms, which could be used by state spies in offensive cyber campaigns.

The new provisions, titled Regulations on Internet Security Supervision and Inspection by Public Security Organs (公安机关互联网安全监督检查规定), build on this to give sweeping new powers to the Ministry of Public Security (MPS). According to a new report from Recorded Future, these powers include:

  • Conducting remote and on-site inspections of any firm with five or more internet-connected computers, which means virtually every foreign company in China
  • Checking for system vulnerabilities, copying user information and checking security response plans during on-site inspections
  • The ability to probe for vulnerabilities in remote inspections. These inspections are not bound by time or limited by scope, meaning they could be used to access parts of the business not linked to Chinese operations. Nor are investigators mandated to notify the company of their findings
  • For remote inspections, the MPS can involve third-party "cybersecurity service agencies", which Recorded Future believes may increasing the chances of vulnerability discovery and the risk of data leaks
  • MPS is also empowered to enforce China's prohibited content laws under these ‘cyber security' provisions, effectively allowing it to monitor for censorship compliance

A chilling impact

To continue reading this article register now