Security experts have warned foreign firms operating in China that new laws may give the authorities more power to spy on and censor them.
Issued in November last year were updates to the country’s infamous 2017 Cybersecurity Law, dubbed: Regulations on Internet Security Supervision and Inspection by Public Security Organs.
They give the Ministry of Public Security (MPS) sweeping new powers to conduct remote pen testing and on-site inspections of any company with five or more internet-connected computers, which means virtually every foreign firm operating in the country today, according to Recorded Future.
The MPS is allowed to copy user information and check for vulnerabilities, if necessary using third-party “cybersecurity service agencies” to help them — which will increase the risk of vulnerability discovery and data leaks, the vendor argued.
The law also give the MPS the authority to audit firms for prohibited content, effectively enabling it to act as censor under the auspices of cybersecurity.
“Since the scope of inspections is not limited in these new regulations, Article 16 may also empower MPS officers to access parts of the company’s enterprise not even related to or within territorial China,” the report warned. “The implications for unlimited remote inspections on the networks of international corporations could be far-reaching and create significant risk for customers and international operations.”
The MPS is also under no obligation to notify an organization when it is under inspection or of the results of that inspection.
The updates to the law come on top of wide-reaching powers granted to the Ministry of State Security (MSS) under the original Cybersecurity Law to conduct ‘national security reviews’ of various firms — the results of which it could use to conduct espionage operations.
Recorded Future urged foreign firms in China to prioritize vulnerability scanning and patch management to prevent state inspectors from “easily gaining unwanted access or escalating privileges.”
“Recorded Future recommends that all international corporations operating in China take measures to evaluate their technology footprint within the country, their evacuation and government relations policies, and their system architecture to minimize the impact of the law and effectively address the worst-case scenario if subjected to an MPS inspection,” it added.
“Altering company system architecture to keep connections between Chinese and international operations as segmented as possible is important to prevent inspections from spilling into corporate networks or databases with no connection to territorial China. Further, keeping one’s employees safe and informed of the inspections should remain a top priority for companies operating within the country.”