China's new cybersecurity law will enable its government to discover potential security vulnerabilities of any company doing business in the country, threat intelligence firm Recorded Future warns.
The law grants the China Information Technology Evaluation Center (CNITSEC), an office in the Ministry of State Security (MSS), the power to request source code and other intellectual property of tech suppliers operating in the country. Information gleaned might easily be exploited by CNITSEC in furtherance of its intelligence operations, Recorded Future claims.
Priscilla Moriuchi, director of strategic threat development at the firm, reckons the measures place companies between a rock and a hard place. Vendors either have to give up their proprietary technology and IP, or lose out on one of the world's biggest and most important markets.
A white paper by Recorded Future, published Thursday, looks at the law's impact as well as offering practical advice on how firms might navigate the rules while trading in China. Recorded Future's cautionary take follows previous criticism that the law posed compliance difficulties to foreign companies because it imposed what's been described as onerous, vague, and broad new legal requirements.
Bill Hagestad, a former US Marine Corps lieutenant colonel turned cyber conflict author and researcher, told El Reg that China's tough new regulations come from a mindset moulded by "haunting memories" of when the Eight-Nation Alliance invaded and attempted to colonise China in the early 1900s.
"As a result of this foreign effrontery, China lives daily with the shame of having almost been ruled by foreign devils," Hagestad explained. "This historical basis is the foundation for the People's Republic of China's New Internet Security Law.
"The digital geography of the Middle Kingdom is now sacrosanct and will not be violated as was China's geography physically during the beginning of the 19th century."
The impact on foreign businesses has been severalfold, according to Hagestad.
"IBM has acquiesced building servers for Larkspur to serve (no pun intended) the Chinese banking industry; Apple has removed nefarious VPN applications from its app store to appease the Communist boys and girls in Beijing... ALL foreign companies must submit to data inspections, and most importantly, if there is Chinese data it can never leave the Middle Kingdom." ®