New provisions made to China’s Cybersecurity Law last November gives state agencies the legal authority to remotely conduct penetration testing on any internet-related business operating in China, and even copy and later share any data government officials find on inspected systems.
Any company that provides an internet-related service with more than five internet-connected computers is susceptible to these inspections.
The Chinese government agency tasked with carrying out these penetration tests is the Ministry of Public Security (MPS), the same agency which also maintains China’s Great Firewall and its nationwide facial recognition system and surveillance cameras network.
MSP officials received these new powers on November 1, 2018, in the form of new provisions to China’s Cybersecurity Law, first adopted in 2017.
These new provisions, named “Regulations on Internet Security Supervision and Inspection by Public Security Organs” (公安机关互联网安全监督检查规定) give the MSP the following new powers:
- Conduct in-person or remote inspections of the network security defenses taken by companies operating in China.
- Check for “prohibited content” banned inside China’s border.
- Log security response plans during on-site inspections.
- Copy any user information found on inspected systems during on-site or remote inspections.
- Perform penetration tests to check for vulnerabilities.
- Perform remote inspections without informing companies.
- Share any collected data with other state agencies.
- The right to have two members of the People’s Armed Police (PAP) present during on-site inspection to enforce procedures.
The new provisions bolster an already intrusive Cybersecurity Law adopted in 2017, which gave Chinese authorities the right to analyze the source code of technologies used by foreign companies in China, all under the guise of identifying vulnerabilities during “national security reviews” to ensure national security.
Back then, US-based threat intel firm Recorded Future sounded the alarm that the law could be abused by Chinese state agencies to identify zero-days and vulnerabilities in the source code of western technologies that usually would have been closed to the eyes of Chinese authorities and its state-sponsored hackers.
Now, Recorded Future experts are raising the alarm on the new provisions as well, citing their broad scope and vague language.
Experts fear that the new provisions will help the Chinese state mask its data collection practices. The worst part is that companies face the risk of not even knowing that an intrusion from Chinese authorities happened.
Recorded Future says the new law doesn’t force the MPS to notify companies when it performs a remote inspection or penetration test, nor does it force it to share a report of its findings and what data it collected with the “inspected” companies.
This means that MPS agents could find a vulnerability in “inspected” companies, gather the company’s data, and later share it with other agencies, and it would all be perfectly legal under Chinese laws.
Further, the new law provisions are also very vague, not specifying which data MPS officials are entitled to copy –data of Chinese citizens only, or all of a company’s users, including foreigners.
Inspections can be carried out at any time, with no prior notice, and for something as simple as checking if companies are storing “illegal content” on their servers, content that Chinese authorities have censored inside the country and may wish to force or intimidate local or foreign firms into also banning.
“Almost all foreign businesses will be subject to in-person facility searches, copying of company user data, invasive checking for ‘illegally published materials,’ and remote inspection of company networks,” said Recorded Future experts in a report analyzing the new cybersecurity provisions today.
“Customers, data, and systems in territorial China are not only at risk of having their data held by the Chinese government, but also are at increased risk for third-party data breaches and Chinese government surveillance,” they said.