In June 2017, China’s new cybersecurity law gave its Ministry of State Security (basically, China’s spy agency) new powers over foreign technology. Now, new provisions announced in November 2018 under the title ‘Internet Safety Supervision and Inspection Regulations’ have expanded the intrusive capabilities of the Ministry of Public Security (MPS) — China’s internal police authority.
These provisions give the MPS broad investigative powers over the networks of companies operating in China — including all foreign companies. An analysis by Recorded Future’s Insikt group highlights two new powers: the right of physical inspection (accompanied by armed policemen); and the right of remote inspection.
This is to support the MPS responsibility towards internal cybersecurity and China’s national laws. However, it is the vague wording and potential interpretation of the provisions that concern Insikt. “Articles within the new provisions contain sweeping measures that should alarm any business currently operating in China,” it warns.
The provisions apply to any company with either a fixed IP address, or five or more computers connected to the internet. In effect, this will be almost all companies in China, and almost certainly all foreign companies operating in China. The MPS is now allowed to enter the companies’ premises, computer rooms and workplaces, and inspect all user information, computer infrastructure, cybersecurity protections, hosting or domain name information, and content distribution.
Refusal to cooperate in such an inspection is punishable by law. The inspection is accompanied by at least two members of the People’s Armed Police to assist in and sign off on all inspections.
However, the MPS now also has the right to conduct remote inspections. Insikt is concerned that the wording of the provision doesn’t immediately indicate whether a remote inspection is limited to a penetration test, or allows the installation of a system backdoor. While a degree of pre-arrangement is necessary for a physical inspection, a remote inspection can be at any time without warning.
Worryingly, there seems to be a contradiction in inspection reporting requirements. Article 19 requires that the MPS supervise and guide organizations to mitigate against any hidden network security risks found during inspection. Nevertheless, Insikt warns that the regulations contain no obligation for the MPS to disclose the full results of either an on-site or remote inspection.
The implication that must be considered by all non-Chinese companies operating in China is that this provision gives the MPS the right to surreptitiously hack any organization it wishes. It goes further by allowing the MPS the right to involve third-party cybersecurity service agencies — a provision, warns Insikt, “which substantially increases the risk of vulnerability discovery and data leakages.”
The MPS is required by the provisions to share its reports with relevant government departments; but they do not specify who these are. “The information obtained,” warns Insikt, “could theoretically be leveraged by its state or foreign surveillance arms to monitor corporate and customer data.” This potential is further exacerbated by the vague wording of the provisions. “Article 16 may also empower MPS officers to access parts of the companyís enterprise not even related to or within territorial China,” comments Insikt. “The implications for unlimited remote inspections on the networks of international corporations could be far-reaching and create significant risk for customers and international operations.”
Insikt warns that since companies often follow the same basic infrastructure design for all their networks, vulnerabilities found within companies in China could possibly be used against the same companies’ networks outside of China.
China occupies in unique position in cyber. Its avowed intention to close the gap between it and western technology is behind many China-led hacking incursions in the West — the latest of which was reported last week with a campaign led by APT10 against companies in the United States and Europe, designed to steal intellectual property or gain commercial advantage.
At the same time, the economic size of the China market and low cost of labor cannot be ignored by western businesses, many of which feel compelled to open operations within the People’s Republic. These new provisions give the China police huge new and invasive powers against networks operating in China — and possibly further abroad. The official purpose may be to ensure that companies are complying with national laws, but the requirement to share inspection reports with other Chinese agencies suggests the provisions could be used more widely.
Insikt has stressed to SecurityWeek that all it has been able to do is analyze the potential use of the provisions from somewhat vague wording. There is yet no precedent on how the provisions will be employed. Without that precedent, Insikt cannot say definitively what will evolve from the potential of the provisions. Asked if a prior physical inspection could learn enough about a network infrastructure to a make a later, more surreptitious remote inspection more effective, it told SecurityWeek, “The short answer is, ‘maybe yes’; but without precedent either way at this point that we’re aware of.”
At the very least companies need to shore up their networks within China to make a ‘successful’ remote MPS inspection less likely; and to segment their international networks so that the China network cannot be used as a stepping stone to other networks.