The U.S. DHS has issued a 15-page ‘Data Security Business Advisory’ to U.S. companies on the risks of using Chinese tech – data services, equipment and companies from the People’s Republic of China (PRC).
The DHS Advisory (here – it’s a PDF so check the downloads folder) describes the data and other reputational related risks risks of using Chinese tech. It outlines steps that businesses can take to mitigate them.
It makes the decisive statement
Due to PRC legal regimes* there are unique risks of Chinese tech, especially for its data service providers and data infrastructure.
Risks includes the theft of trade secrets, of intellectual property, and other confidential business information; violations of U.S. export control laws; violations of U.S. privacy laws; breaches of contractual provisions and terms of service; security and privacy risks to customers and employees; risk of PRC surveillance and tracking of regime critics; and reputational harm to U.S. businesses.
* Chinese laws compel PRC firms to provide data, logical access, encryption keys, and other vital technical information and install ‘backdoors’ or ‘bugdoors’ in equipment to create easily exploitable security flaws. The Chinese Communist Party does not have to give a reason other than on-demand.
The tech imperative and driver is ‘Made in China 2025‘ (MIC)
MIC mandates 100% Chinese developed and made electronics by 2025. To get there means technological advancement at any cost.
The DHS states the CCP will help Chinese companies replace foreign companies/personnel as engineers, designers, and manufacturers of key emerging and foundational technologies.
Through state-sponsored theft of data, such as intellectual property theft and trade secrets, the CCP plans to shift manufacturing from lower-value goods to higher value-added technical areas.
CCP-sponsored data theft not only accelerates the reduction of foreign competitors’ domestic market share, but it also hastens the arrival of PRC technological dominance in international markets. These include aerospace, semiconductors, robotics, artificial intelligence systems, biometrics, cyber intelligence, genomics, pharmaceutical medicines, and sustainable/green energy materials.
The CCP also collects foreign data to enhance its national security and geopolitical interests.
Stolen intellectual property has been essential to the People’s Liberation Army’s modernisation, equipping it with advanced warfighting and information capabilities. The CCP utilises foreign data as a tool to map the activities, relationships, status, and vulnerabilities of key individuals, including PRC dissidents.
The Advisory goes on to outline many instances where China has engages in intellectual property theft.
DHS Recommendations on the risks of Chinese Tech
- Use Chinese owned or located data centres. Store data in U.S. owned/located data centres (the term includes cloud).
- Use foreign data centres (anywhere) built with PRC components. PRC can mandate backdoors or bugdoors in the equipment. Google and Microsoft use thier hardware designs to keep backdoors out.
- Use Telecommunications infrastructure PRC designed, built or maintained by PRC companies
- Allow data to transit over the above. It cites a Huawei-built data centre in Papua New Guinea using equipment that can easily intercept data flows via an “openly broken” encryption algorithm and outdated firewalls that reached their “end of life” two years before the facility opened.
- Accept predatory deals under the market price.
- Enter into PRC joint ventures
- Assume that anonymised data cannot be reconstructed
- Use software and mobile apps designed in PRC (and the cloud is usually there as well). It cites evidence that the Chinese app TikTok can covertly track a device’s unique MAC address. Combined with app usage and location data, it enables real-time relational mapping and monitoring capability.
- Use Chinese developed fitness trackers or wearables. Evidence is that it identifies where each user lives, works or spends time. It provides travel patterns and can be used to identify names and family members.
- Believe any PRC companies’ statement that they are somehow exempt from PRC law or can resist the CCP requests.
It finishes (paraphrased) that many U.S. companies often don’t realise their data’s value, whether business confidential, trade secrets, customer personally identifiable information or other sensitive information.
Data theft can lead to legal exposure, reputation risks, and unfair advantage that data and intellectual property theft can provide competitors.
Implementation of the Advisory is at a whole of government level. Businesses should refer to the Cybersecurity Framework published by the National Institute of Standards and Technology (NIST).