China cybersecurity lawyer

The Chinese Government Has Your Data And There’s Not Much You Can Do

Dan Harris

Jonathan Bench

China cybersecurity lawyer

China’s Data Security Landscape

This post addresses the options foreign companies have for operating in China and protecting their critical data. The assumption is usually that there must be a technical solution that allows foreign companies to protect their private technical data in China. The problem is technical, so there must be a technical solution.

Enough with the Techno-optimism

This is a symptom of unrealistic techno-optimism. There is almost nothing you can do. Any form of data you transmit across the Chinese border is available for inspection and use by the Communist Party and its agents.

You Have Three Choices. None Good.

What then is to be done? You have three basic choices.

1. Identify the technical data you do not want the CCP to obtain. Then, do not transfer that data to any location in China for any reason. If this means you cannot do business in China, that is what this means.

2. Capitulate and allow your data to be taken by the CCP.

3. Assume all your systems in China are compromised. Then work with your cyber-security consultant to design a system in China that will work in a situation where everyone involved knows the system is compromised. This is the kind of program used by people who work in hostile environments. It is the realm of spy-craft and operations behind the lines in times of war. These evasion techniques are regularly provided to dissidents and oppressed persons operating in China. So, evasion techniques do exist.

The Problems with Evasion Techniques

The problem is that these techniques assume an openly adversarial environment. The people who use these techniques understand punishment will follow if the evasion technique is discovered. For that reason, it is too risky for on the ground managers and employees to make use of this approach. So though this approach may be technically feasible, application of these techniques is usually not practical. However, once the problem is understood, it may be possible for foreign cyber-security professionals to design usable techniques that can be safely applied in a compromised environment like China.

These are the three possible responses to China. So long as the CCP operates China’s cyber-insecurity system, there is no place to hide in China. Every entity operating in China must make a frank assessment of the risks it takes by working within the existing system. There is no escape from facing the issue directly.

Why Common Alternatives Won’t Work

Consider why any other alternative simply will not work. For example, imagine a situation where a powerful foreign investor in China states the following to the regulators:

We know you want to steal the data housed on our servers located in China. We will only transfer that data into China if you provide us with a blanket exemption to your cyber-insecurity system. We will house our data on servers installed by our own technicians. We will only use equipment we have inspected for malware and back doors. We will use our own encryption and we will not provide you with the keys. We will communicate on our own secure VPN that exempts us from any control by the Great Firewall. We will use our own, foreign based, anti-virus software. Our network systems will operate using the most advanced server and operating system software.

We know this system is not compliant with China’s cyber-security, surveillance, and control system. But allowing us to use our non-compliant system that operates outside the Great Firewall and outside the cyber-insecurity system is the price China must pay for our company to operate within China or to transfer any technology of any kind into China. Take it or leave it.

Since this demand violates Chinese law and policy, the Chinese government will reject it. But for purposes of this discussion, assume the Chinese authorities agree to allow a foreign investor to operate per the above. It still would not work because the Chinese system forces anyone operating in China into an insecure environment and once in that insecure environment, any system of cyber-security will fail. Thinking a cyber-solution will provide a place to hide is a dangerous fantasy.

China’s system drives all persons and entities into an insecure network environment. The CCP’s ultimate goal is to install malware on all network devices. A primary target in this program is smart phones. In China today, nobody can function without a smart phone. Virtually every aspect of daily life and business life requires smart phone apps. The Party and its agents understand this, and they are believed to have installed malware on all smart phones made or used in China.

China’s Malware Reality: It’s Everywhere You Want to Be

The forced use of WeChat is an example of how the system works. A number of our clients have asked us whether they should be concerned with WeChat as a vector for malware infection on their systems. This question misses the issue. WeChat IS malware. If you install WeChat on your system, you are installing malware. No sophisticated phishing campaign is required. You did it yourself. There is a reason for this. No company can do business in China without using WeChat. There is no escaping this if you operate in China or if, outside China, you work with Chinese companies and individuals. Virtually every smartphone application distributed by the Chinese government is a form of malware. The following are some examples of this.

1. Study of Xi Jinping thought is now mandatory in China. The Party has created a smartphone app intended to promote that study: the Study the Great Nation App. Just about everyone in China has this app. Since advancement within the Party and the bureaucracy requires using the app (and since use is monitored), it is regularly accessed. The app is more than an educational tool, it is a form of malware and it conducts information gathering, file transmission and protection, code execution and backdoors, obfuscation for hiding functionality, and collaboration with external companies. The average foreign executive will not have this app installed. But the Party cell members in that foreign executive’s office will have that app on their phone, as will virtually everyone in China with whom she does business will. There is no effective way to avoid the reach of the app and its data gathering functions.

2. Many governments in China created smart phone applications to monitor self-quarantine and other measures as part of their coronavirus control programs. The best known of these was created in Hangzhou and, as with the Great Nation app, this app is also a form of malware. This app was required for the daily functions of life: entry into neighborhoods, purchase of train and bus tickets, entry into shopping malls. This app could not be avoided, and it no doubt remains on many people’s phones to this day.

3. Even foreign tourists and other foreign visitors to China are forced into China’s smartphone malware system. It has become a regular procedure for China border control to inspect the smartphone of every person entering into China and these inspections are particularly thorough for entry into sensitive areas such as Xinjiang and Tibet. As part of the inspection process, border agents now routinely install tracking malware on those smartphones and tourists are not permitted to opt out because compliance is a condition of entry. This procedure demonstrates how China’s cyber-insecurity system works. Step One, police inspection is mandatory. Step Two, the police take any data they want to take. Step Three, the police leave behind tracking malware to make the network device permanently accessible by the Chinese government and its favored companies. This is exactly what the CCP and its agents do when “inspecting” office computer networks and offsite cloud systems. Inspection is cover for insertion of malware. Insertion of malware is the primary goal.

Software is The Real Threat

All networked systems in China are treated the same way: smartphones, computer networks, cloud systems. The CCP’s goal is to push all users of these networks into an insecure environment. Many of our readers have expressed concerns about using Chinese hardware. They believe they can escape from Chinese data monitoring by using their own self certified hardware devices. But hardware is not the issue. The issue is software. The Party and its agents will allow you to use the hardware of your choice. The cyber-insecurity system works so well for China because it imposes its system on you by forcing you into a compromised, insecure software environment. If you are in China or dealing with China, you are part of China’s monitoring system.

Your hardware does not matter for China, though it is true that much Made in China hardware (see Huawei’s 5G system) has been developed to monitor outside China. This can be seen by the continued saga of Huawei attempts to participate in the roll out of 5G networks in the United Kingdom. Even though Huawei was under intense pressure to deal with security concerns in the U.K, the U.K. Huawei Oversight Board found that Huawei’s systems failed to meet minimum security standards. The reason for the failure is NOT related to Huawei hardware. The security issues are related to the software component. “Sustained evidence of poor coding practices was found, including evidence that Huawei continues to fail to follow its own internal secure coding guidelines.” The report found “critical, user-facing vulnerabilities” in fixed access products caused by “particularly poor code quality” and the use of an old operating system.

This echoes the way the China’s insecure systems work: users are forced to use poorly written government mandated software and outdated operating systems. Even when pushing out product to a very suspicious foreign government, Huawei is not able to escape from the basic structure of the PRC’s cyber-insecurity regime because its sales within China require they operate this way. This is all is a feature of a system that prioritizes CCP monitoring over revenues. One of my biggest concerns is that Internet of Things devices, such as smart lights, smart thermostats, and other such items sold to American consumers are similarly compromised.

What Can You Do? What Can You Do?

What if anything can be done when there is no practical way to protect network data that crosses the Chinese border? The Chinese cyber-insecurity system is designed to make all networks of any kind open to access by the CCP and its agents. This access includes collection and use of all data available on every network operating within the borders of the PRC. For a foreign invested enterprise, this means access to and use of all technical data that crosses the Chinese border.

The answer to what can be done is that you need to understand China realities. Do not fool yourself into thinking you can defeat China’s all-pervasive cyber-insecurity system. In that sense, the answer is quite simple: if there is data you do not want the CCP to see, do not send that data to China.

For years, foreign investors have worked to find a “workaround” to the Chinese system. There is no work around. China does not do loopholes. There is no place to hide.

Share

Dan Harris

Dan Harris is a founding member of Harris Sliwoski, an international law firm where he mostly represents companies doing business in emerging market countries. Most of his time is spent helping American and European companies navigate foreign countries by working with the international lawyers at his firm in setting up companies overseas (WFOEs, Subsidiaries, Rep Offices and Joint Ventures), drafting international contracts, protecting IP, and overseeing M&A transactions. In addition, Dan writes and speaks extensively on international law, with a focus on protecting foreign businesses in their overseas operations. He is also a prolific and widely-followed blogger, writing as the co-author of the award-winning China Law Blog.

Harris Sliwoski Attorney Read more posts

Jonathan Bench

Jonathan is chair of Harris Sliwoski’s corporate practice group, where he helps public and private companies with international and domestic business transactions. His clientele includes companies from Asia, Europe, Africa, and the Americas. Jonathan has worked and consulted in the U.S., Asia, and South America and is fluent in Mandarin and Cantonese Chinese. He is an emerging blockchain legal expert and enjoys developing international legal strategies with promising web3 projects.

Harris Sliwoski Attorney Read more posts
Read More

China Business, Intellectual Property (IP), Internet

Related Posts

Shutting down a China WFOE

The 101 on Shutting Down Your China WFOE vs. Putting it Into “Hibernation”
A man on a ladder reaching for a puzzle piece representing the need to understand CFIUS reporting requirements for foreign investment above a digital world map illuminated by network connections.

CFIUS Reporting Requirements for Non-U.S. Investors
China foreign due diligence

China Legal Compliance Basics
China lawyers for China scams

No Product from China Despite Having Paid for It
China Payment Terms That Will Get YOU Paid

How to Ensure You Get Paid When Doing Business With Chinese Companies
A mock-up of a Chinese personal registration identification card.

Your China Trademark Is Now Registered: What Next?
Enforcing U.S. judgments in China

Enforcing U.S. Judgments in China: What You Need to Know
US ChinaTrade Policies

Dueling US-China Sanctions: A Guide for Businesses
Guide to choosing your manufacturer

The Three Keys to Not Getting Ripped Off When Manufacturing Overseas
China due diligence lawyers

China Due Diligence: NOT Optional
china law blog

Drafting Your Own China Contract
China NNN Agreements

China NNN Agreements: The Ten Most Asked Questions Answered
Laptop screen displaying an alarm clock and icons indicating a prohibition of music and sound.

The Ticking Clock to a TikTok Stop
Various epoxy resin casts alongside containers of resin and hardener on a wooden surface.

New AD/CVD Petitions: Certain Epoxy Resins from China, India, South Korea, Taiwan and Thailand (AD/CVD)
Moving your manufacturing from China to Mexico

Mexico vs. China on Manufacturing Risks