The United States Department of Homeland Security (DHS) has published a guide to the terrifying risks that businesses will expose themselves to if they use tech created in the Peoples’ Republic of China (PRC) or engage in any business activity with the Middle Kingdom.
The fifteen-page “Data Security Business Advisory” [PDF] opens by warning “Businesses expose themselves and their customers to heightened risk when they share sensitive data with firms located in the PRC, or use equipment and software developed by firms with an ownership nexus in the PRC.”
Among the risks mentioned are “theft of trade secrets, of intellectual property, and of other confidential business information; violations of U.S. export control laws; violations of U.S. privacy laws; breaches of contractual provisions and terms of service; security and privacy risks to customers and employees; risk of PRC surveillance and tracking of regime critics; and reputational harm to U.S. businesses.”
The document argues that China’s 2017 National Intelligence Law is a primary source of risk, as it “compels all PRC firms and entities to support, assist, and cooperate with the PRC intelligence services, creating a legal obligation for those entities to turn over data collected abroad and domestically to the PRC.”
China’s new Data Security Law, due to come into force in 2021, also gets a lashing on grounds that it offers China’s government further surveillance powers and will “force foreign markets to remain open to Chinese data services providers.”
Fitness tracker data could be matched with property tax records and “further leveraged to identify names and family members.”
The document also says China’s new encryption law compels key-sharing.
The Department therefore advises American businesses that any data they hold in Chinese data centres won’t be secure, Chinese-designed hardware has backdoors, and joint ventures with Chinese firms will see third-party data shared around.
Made-in-China mobile apps such as TikTok aren’t safe, the advice adds, while even fitness trackers are a risk because the location data they collect could be harvested by the Communist Party, matched with property tax records and “further leveraged to identify names and family members”
Once it’s done scaring readers, the document suggests businesses “should minimize the amount of at-risk data being stored and used in the PRC or in places accessible by PRC authorities” and “acquire a thorough understanding of the ownership of data service providers, location of data infrastructure, and any tangential foreign business relationships and significant foreign investors.”
If businesses can find one, the document recommends finding an alternative and trustworthy supplier. Which may not be easy given that we know the United States National Security Agency has tapped gear made by US companies, while Russia is suspected of having close to God-mode access to big American companies thanks to flaws at SolarWinds and FireEye.
The document tells IT operators to “IT ensure proper segmentation of their network infrastructure from any external software use” (see SolarWinds and FireEye above). And all businesses are told to brush up their cybersecurity skills (see SolarWinds and FireEye above).
None of the advice is silly, but it lacks detail on how to figure out if a supplier has a Huawei router lurking on a rack somewhere, or how to determine if a business relationship draws you into the PRC’s legal orbit.
At least it does recommend ongoing due diligence. Which probably means lawyers and security consultants should be busy. The Register expects the latter will start mentioning the DHS document in their marketing before too long. ®