In an advisory this week, the Department of Homeland Security (DHS) warned American organizations of the risks posed by using data services and equipment from firms that have ties to the People’s Republic of China (PRC).
Both businesses and customers in the United States are at risk due to the PRC’s data collection activities, the DHS warns. Some of these risks include the theft of confidential business data, trade secrets and intellectual property, violation of privacy and export laws, breach of contractual provisions, and risk of surveillance.
“The PRC presents a grave threat to the data security of the U.S. government and U.S. businesses. It has both the intent and ability to covertly access data directly through entities under the influence or jurisdiction of PRC laws,” the DHS says.
The agency also underlines that data is often accessed without requesting the consent of or informing the non-PRC businesses or institutions owning the data.
In its advisory, the DHS also points out that data theft operations performed under the command of the Chinese government represent a persistent, growing threat, especially since newly enacted laws require all PRC businesses and citizens to “take actions related to the collection, transmission, and storage of data.”
These laws compel Chinese businesses to provide the government with data, encryption keys, technical information, and logical access. Furthermore, firms are required to install backdoors in equipment to create security vulnerabilities that PRC entities can easily exploit, the advisory warns.
In addition to detailing the various data collection practices of the Chinese government, and providing an overview of the applicable laws recently passed in the country, the advisory offers extensive details on the risks faced by companies partnering with China.
Chinese firms operating data centers, either in the country or abroad, are required to share data with the government upon request, even if the sharing of data is illegal under the jurisdiction in which firms operate.
Even data centers built using Chinese equipment are at risk, due to the backdoors equipment manufacturers are required to install, by law. By subsidizing the use of hardware, software, and telecoms infrastructure from domestic firms, the Chinese government helps corporations such as ZTE or Huawei undercut competitors, the DHS says.
“The spread of such equipment may even affect unwitting U.S. service providers. The CCP subsidies and the spread of PRC-developed equipment not only advantage PRC companies over U.S. providers economically, but also furthers the ongoing capabilities of the CCP where the equipment supplier maintains a service or maintenance contract that necessitates ongoing access,” the advisory continues.
DHS also warns that even data sharing agreements with Chinese firms are risky, and that the government may even purchase legally obtain data, to augment the illegally acquired information. Software and mobile apps from Chinese firms pose data collection risks too, just as fitness trackers and other wearables do.
“Businesses and individuals that operate in the PRC or with PRC firms or entities should scrutinize any business relationship that provides access to data—whether business confidential, trade secrets, customer personally identifiable information (PII), or other sensitive information,” DHS says.
The advisory also provides a series of recommendations on how to minimize risks associated with using equipment and services from China, or partnering with firms linked to China.
“Today, the threats to our peace and prosperity emanate largely from China. […] Instead of competing fairly on a level playing field, China undermines the international system. Instead of fighting on the conventional battlefield, China wages secret disinformation and propaganda wars to cripple us from within. The results they have achieved thus far should concern every American,” Homeland Security Acting Secretary Chad F. Wolf commented.