China Malware: Sorry, Techno Geeks, There Still is no Place to Hide

In The Chinese Government is Accessing YOUR Network Through the Backdoor and There Still is NO Place to Hide, I explained how Chinese banks are requiring their account holders to install malware which allows the Chinese government to see All account holder data — financial or otherwise. We received the usual set of comments we get whenever we right about the lack of data protection in China:

  1. There are those who ask why we write about China’s lack of data protection when “every country does the same thing.” First off, this is a blog about China. Second, not every country does the same thing. Third, your data in China goes to the Chinese government, not to Facebook or to Google and last we looked, neither Facebook nor Google have virtually unlimited power to imprison you.
  2. There are those who ask why we write about China’s lack of data protection when there isn’t anything anyone can do about it and would not we all (including YOUR law firm) be better off just keeping our mouths shut. Yes, we would all be better keeping our mouths shut and just acting like this is not a problem and continuing to encourage companies to go into China strictly for the money. But that is just not how we roll.
  3. You are international lawyers, not data security specialists and you just don’t know all the easy workarounds out there that will enable you to have a China bank account and give no data to the Chinese government. I will address these comments in this post

The most interesting comments focused on the idea that Western-style cyber security measures can be successfully used as a defense to government lead hacking in China. One detailed response appeared on Dylan Evan’s Simple Salt blog in Chinese spying: the ongoing saga.

Mr. Evan’s describes himself and his blog as follows:

Good security is easy for most people.  I want to explain how it can be easy for you.  I receive no compensation for any content on this site, and have no direct financial stake in any company mentioned on this site.

I have a deep technical background in corporate security and compliance, mostly for medical and finance companies in the USA.  I currently work for a large company in the finance industry.

Mr. Evan’s stated goal is to show cyber security is easy. But it is not easy in China because capable technicians like Mr. Evans are not permitted to work their magic in China and other than his one post on our post, there is nothing on Mr. Evans’ blog to indicate he has ever had anything to do with China cyber security prior to last week. Just to be clear, we are not questioning Mr. Evans’ cybersecurity knowledge, nor are we even questioning his knowledge of cybersecurity in China. We are simply pointing out why it is that he seems not to realize why China cybersecurity is not your father’s cybersecurity in Tulsa or Jacksonville.

To put it starkly, in China, the government itself is the hacker and it will not allow any foreign or domestic technician to provide services that will defeat the hacker’s ultimate goals.

Simple Salt starts its post by explaining how setting up banking operations on a separate laptop can seal the compromised site from the safely protected main site. The use of a dedicated laptop for banking purposes is standard practice in China. I did that in China myself when I had to step in to help run a company there. The reason a separate laptop is required reveals where the problems lie. The Chinese bank software is written so it will only run on a Chinese version of the Windows operating system.

Moreover, it will only run on an outdated, unpatched, unsupported version of Windows — usually an outdated version of Windows 7. The reason is that the malware hidden in the software depends on exploiting various flaws that are endemic in unpatched Windows operating systems. For this reason, anyone who is using a dual language, patched, supported version of Windows 10 simply cannot make use of the bank provided software. Use of the separate laptop is therefore forced.

In the daily life of a normal business in China, this use of a separate laptop becomes completely impractical. It is important to understand that under the new system I described, the entire financial and regulatory life of a business in China is done over the Internet. For full protection, then, we would need multiple separate laptops: one for each bank, one for the tax department, one for VAT receipts, one for the local government, one for the national government, one for freight forwarders, one for customs, one for the (government controlled) accountant, one for the bookkeeper, one for the employee benefits service. The list becomes endless. So the pressure is to combine all of those software systems onto one single laptop. This laptop is then used throughout the entire working day. It is not linked to the receiver (let’s say the one bank) and then immediately shut down. It remains linked to someone on the Internet for virtually the entire day.

But wait, it gets worse. Now all of the business’s important data is located on one or more dedicated laptops sealed off from the company’s main system. But to do business, the company needs the data from its laptops to go to its main system. Imagine for just a minute if all your company’s bank information were on one laptop in one office and not a part of your main system. So data from the laptops has to be regularly transmitted to the main system.

Not only must data from the laptop go to the main system at some point for the company to function at all smoothly, but it is also necessary for data from the main system to go to the laptop for use of the various systems located on the laptops. Again, just imagine how you will smoothly move only certain financial data from your main system to your laptop every day.

As a practical matter, it is not possible to keep the systems separate and during these required data transfers, your door is opened for malware infection. In the most primitive way, malware is transferred when a thumb drive is used for data transfer. However, many businesses just do the data transfer through some form of ethernet or wireless link between the various systems. In some cases, companies just give up and shift all their important financial operations to the dedicated laptop, or even to a Chinese Windows desktop.

This is what actually happens on the ground in China, and there is no way to prevent it. Some foreign owned companies in China will install a system based on advice from a foreign expert like Mr. Davies. They will use patched, updated operating systems, the most modern anti-virus protections, the best cryptography and a sophisticated VPN. This work is all in vain because when a network connection is required, China Telecom or some other Chinese government agency will install the network system. And they will say it is fine for you to use these systems for your personal purposes, but you cannot use these systems for any operations that make use of the Internet in China because China’s rules require the following:

1. China approved virus software.

2. China approved cryptography.

3. A China approved ISP.

4. A China approved cloud provider.

5. China approved connection software.

6. A China approved version of Chinese language Windows that we will provide to you.

7. Support service provided only by a China approved (and controlled) network consultant.

To top it all off, China’s local authorities have the right to inspect your networked system at any time without notice and this inspection is done without the participation of company staff. During that inspection, your data will be removed using a thumb drive. If the government inspectors want to do it, they can then install the malware through the use of that same thumb drive. Most large network connections in China are done through use of a cloud system. Chinese government authorities have the same rights to inspect the cloud system. In accordance with the rules, the client of the cloud provider will not even know that its system has been inspected.

Network systems are provided to businesses in China exclusively through the Chinese government and/or by Chinese government agencies and/or by IT consultants approved and controlled by the government. The Chinese government is the primary hacker in China, with your cyber security being performed by the hacker itself. This goes beyond a simple network connection. The Chinese government provides the landline phone system and the cell phone system. The Chinese government provides the Internet connection. The government Chinese government provides the email server. Many Chinese government agencies will not use email; they instead require all contacts be through WeChat, a completely insecure platform constantly monitored by the Chinese government. By using the extreme efforts described in the Simple Salt post, a foreign company doing business in China might be able to avoid one of these assaults on its data. But when the attacks come from every direction and are organized by the Chinese government itself, and all backed up by threat of imprisonment, any defense will ultimately fail.

So as I have said: there is no place to hide.

For this reason, the analysis provided in the Simple Salt post and in some of the other comments we received are naive and the vast majority of foreign invested companies in China do not have the capacity even to try. The task is too daunting and they know they will ultimately fail. The task is made even more pointless because in China these companies have no place to go for on the ground help. U.S. based cybersecurity consultants are not permitted to work on the ground in China, so the assistance is not in fact practically available.

Measures taken to maintain security against Chinese government intrusion are seen as suspect or even illegal behavior. This is an important point. On Twitter, our post was met with comments from China bots and China lackeys saying things like “the only people who care about this sort of thing are those who have something to hide.” Truth is though that it is that the Chinese government will not allow any consultant or any company to defeat its cyber hacking program. This program is part of critical, central government policy.

U.S. based cyber security consultants who promote their services by marketing an “easy” way to evade to Chinese government cyber hacking are doing a double disservice. First, within China their measures simply won’t work. Second, companies that use these measures risk being identified as a “problem”, leading to even more intrusive scrutiny of their network systems and potential increased scrutiny and interference with their business operations in China, perhaps even prison. See e.g., the following articles, all published within the last couple of weeks, and all detailing how China does not take terribly kindly to foreigners who try to circumvent the China system:

  1. U.S. Warns Its Citizens in China They Risk ‘Arbitrary’ Arrest
  2. Australians at risk of arbitrary arrest in China, DFAT travel advice warns
  3. China’s national security law for Hong Kong covers everyone on Earth
  4. China Thinks It Can Arrest Basically Anyone on the Planet for Criticizing Communism
  5. How this Long Island man ended up in a Chinese prison on espionage charges
  6. Michael Kovrig and Michael Spavor: China charges Canadians with spying

I challenge anyone to read these articles and then suggest that companies in China set up their network systems to circumvent Chinese government dictates.

So, as I noted, there is no place to hide. You are only “safe” if the Chinese government has no interest in you. The techno types who think they can defeat the Chinese system on the ground in China are living in a dream world. But there is no risk to them. The risks are loaded on the foreign companies operating within China. It is those risk we work to identify on this blog. Those risks are real and cannot be dissolved by techno-magic.

What are you seeing out there?