China’s Data Security Landscape
This post addresses the options foreign companies have for operating in China and protecting their critical data. The assumption is usually that there must be a technical solution that allows foreign companies to protect their private technical data in China. The problem is technical, so there must be a technical solution.
Enough with the Techno-optimism
This is a symptom of unrealistic techno-optimism. There is almost nothing you can do. Any form of data you transmit across the Chinese border is available for inspection and use by the Communist Party and its agents.
You Have Three Choices. None Good.
What then is to be done? You have three basic choices.
1. Identify the technical data you do not want the CCP to obtain. Then, do not transfer that data to any location in China for any reason. If this means you cannot do business in China, that is what this means.
2. Capitulate and allow your data to be taken by the CCP.
3. Assume all your systems in China are compromised. Then work with your cyber-security consultant to design a system in China that will work in a situation where everyone involved knows the system is compromised. This is the kind of program used by people who work in hostile environments. It is the realm of spy-craft and operations behind the lines in times of war. These evasion techniques are regularly provided to dissidents and oppressed persons operating in China. So, evasion techniques do exist.
The Problems with Evasion Techniques
The problem is that these techniques assume an openly adversarial environment. The people who use these techniques understand punishment will follow if the evasion technique is discovered. For that reason, it is too risky for on the ground managers and employees to make use of this approach. So though this approach may be technically feasible, application of these techniques is usually not practical. However, once the problem is understood, it may be possible for foreign cyber-security professionals to design usable techniques that can be safely applied in a compromised environment like China.
These are the three possible responses to China. So long as the CCP operates China’s cyber-insecurity system, there is no place to hide in China. Every entity operating in China must make a frank assessment of the risks it takes by working within the existing system. There is no escape from facing the issue directly.
Why Common Alternatives Won’t Work
Consider why any other alternative simply will not work. For example, imagine a situation where a powerful foreign investor in China states the following to the regulators:
We know you want to steal the data housed on our servers located in China. We will only transfer that data into China if you provide us with a blanket exemption to your cyber-insecurity system. We will house our data on servers installed by our own technicians. We will only use equipment we have inspected for malware and back doors. We will use our own encryption and we will not provide you with the keys. We will communicate on our own secure VPN that exempts us from any control by the Great Firewall. We will use our own, foreign based, anti-virus software. Our network systems will operate using the most advanced server and operating system software.
We know this system is not compliant with China’s cyber-security, surveillance, and control system. But allowing us to use our non-compliant system that operates outside the Great Firewall and outside the cyber-insecurity system is the price China must pay for our company to operate within China or to transfer any technology of any kind into China. Take it or leave it.
Since this demand violates Chinese law and policy, the Chinese government will reject it. But for purposes of this discussion, assume the Chinese authorities agree to allow a foreign investor to operate per the above. It still would not work because the Chinese system forces anyone operating in China into an insecure environment and once in that insecure environment, any system of cyber-security will fail. Thinking a cyber-solution will provide a place to hide is a dangerous fantasy.
China’s system drives all persons and entities into an insecure network environment. The CCP’s ultimate goal is to install malware on all network devices. A primary target in this program is smart phones. In China today, nobody can function without a smart phone. Virtually every aspect of daily life and business life requires smart phone apps. The Party and its agents understand this, and they are believed to have installed malware on all smart phones made or used in China.
China’s Malware Reality: It’s Everywhere You Want to Be
The forced use of WeChat is an example of how the system works. A number of our clients have asked us whether they should be concerned with WeChat as a vector for malware infection on their systems. This question misses the issue. WeChat IS malware. If you install WeChat on your system, you are installing malware. No sophisticated phishing campaign is required. You did it yourself. There is a reason for this. No company can do business in China without using WeChat. There is no escaping this if you operate in China or if, outside China, you work with Chinese companies and individuals. Virtually every smartphone application distributed by the Chinese government is a form of malware. The following are some examples of this.
1. Study of Xi Jinping thought is now mandatory in China. The Party has created a smartphone app intended to promote that study: the Study the Great Nation App. Just about everyone in China has this app. Since advancement within the Party and the bureaucracy requires using the app (and since use is monitored), it is regularly accessed. The app is more than an educational tool, it is a form of malware and it conducts information gathering, file transmission and protection, code execution and backdoors, obfuscation for hiding functionality, and collaboration with external companies. The average foreign executive will not have this app installed. But the Party cell members in that foreign executive’s office will have that app on their phone, as will virtually everyone in China with whom she does business will. There is no effective way to avoid the reach of the app and its data gathering functions.
2. Many governments in China created smart phone applications to monitor self-quarantine and other measures as part of their coronavirus control programs. The best known of these was created in Hangzhou and, as with the Great Nation app, this app is also a form of malware. This app was required for the daily functions of life: entry into neighborhoods, purchase of train and bus tickets, entry into shopping malls. This app could not be avoided, and it no doubt remains on many people’s phones to this day.
3. Even foreign tourists and other foreign visitors to China are forced into China’s smartphone malware system. It has become a regular procedure for China border control to inspect the smartphone of every person entering into China and these inspections are particularly thorough for entry into sensitive areas such as Xinjiang and Tibet. As part of the inspection process, border agents now routinely install tracking malware on those smartphones and tourists are not permitted to opt out because compliance is a condition of entry. This procedure demonstrates how China’s cyber-insecurity system works. Step One, police inspection is mandatory. Step Two, the police take any data they want to take. Step Three, the police leave behind tracking malware to make the network device permanently accessible by the Chinese government and its favored companies. This is exactly what the CCP and its agents do when “inspecting” office computer networks and offsite cloud systems. Inspection is cover for insertion of malware. Insertion of malware is the primary goal.
Software is The Real Threat
All networked systems in China are treated the same way: smartphones, computer networks, cloud systems. The CCP’s goal is to push all users of these networks into an insecure environment. Many of our readers have expressed concerns about using Chinese hardware. They believe they can escape from Chinese data monitoring by using their own self certified hardware devices. But hardware is not the issue. The issue is software. The Party and its agents will allow you to use the hardware of your choice. The cyber-insecurity system works so well for China because it imposes its system on you by forcing you into a compromised, insecure software environment. If you are in China or dealing with China, you are part of China’s monitoring system.
Your hardware does not matter for China, though it is true that much Made in China hardware (see Huawei’s 5G system) has been developed to monitor outside China. This can be seen by the continued saga of Huawei attempts to participate in the roll out of 5G networks in the United Kingdom. Even though Huawei was under intense pressure to deal with security concerns in the U.K, the U.K. Huawei Oversight Board found that Huawei’s systems failed to meet minimum security standards. The reason for the failure is NOT related to Huawei hardware. The security issues are related to the software component. “Sustained evidence of poor coding practices was found, including evidence that Huawei continues to fail to follow its own internal secure coding guidelines.” The report found “critical, user-facing vulnerabilities” in fixed access products caused by “particularly poor code quality” and the use of an old operating system.
This echoes the way the China’s insecure systems work: users are forced to use poorly written government mandated software and outdated operating systems. Even when pushing out product to a very suspicious foreign government, Huawei is not able to escape from the basic structure of the PRC’s cyber-insecurity regime because its sales within China require they operate this way. This is all is a feature of a system that prioritizes CCP monitoring over revenues. One of my biggest concerns is that Internet of Things devices, such as smart lights, smart thermostats, and other such items sold to American consumers are similarly compromised.
What Can You Do? What Can You Do?
What if anything can be done when there is no practical way to protect network data that crosses the Chinese border? The Chinese cyber-insecurity system is designed to make all networks of any kind open to access by the CCP and its agents. This access includes collection and use of all data available on every network operating within the borders of the PRC. For a foreign invested enterprise, this means access to and use of all technical data that crosses the Chinese border.
The answer to what can be done is that you need to understand China realities. Do not fool yourself into thinking you can defeat China’s all-pervasive cyber-insecurity system. In that sense, the answer is quite simple: if there is data you do not want the CCP to see, do not send that data to China.
For years, foreign investors have worked to find a “workaround” to the Chinese system. There is no work around. China does not do loopholes. There is no place to hide.