China’s new Cybersecurity Law (CSL) could expose Western firms and their customers to significant new security risks if the state chooses to launch ‘national security’ investigations, demanding IP and source code, according to a new report.
In it, threat intelligence firm Recorded Future claims foreign multi-nationals operating in China will be faced with a stark choice: comply with the law’s “onerous, vague, and broad new legal requirements” or be denied access to the huge mainland China market.
It argues that the new law gives sweeping new powers to the China Information Technology Evaluation Center (CNITSEC), part of fearsome spy agency the Ministry of State Security, which is said to be home to threat group APT3.
CNITSEC is used by the MSS to “conduct vulnerability testing and software reliability assessments” and may use bugs found in such tests in its intelligence gathering, the report claims, citing a US State Department cable.
This makes it highly likely that if CNITSEC were asked to investigate any foreign firm for national security reasons, it could handover the resulting intelligence to the MSS for use in state-sponsored cyber-attacks, Recorded Future claims.
That means elevated risk to the investigated company’s own machines and networks, its products and services, and its customers and users around the world.
Such firms could also find themselves on the end of a public relations backlash in Europe and North America, and could be deemed too risky for use by governments there as a result, the report continues.
“Most products and services utilized in China will not be wholly unique from their global counterparts, raising the risk that vulnerabilities discovered by the MSS could be utilized to exploit international users of these machines, networks, products, and services,” the report notes.
Cloud providers are at greatest risk because they could be defined as “critical information infrastructure” and therefore subject to more checks, it claims.
However, any company defined as a 'network operator' could come under investigation. This term could cover financial institutions, cybersecurity providers or indeed any enterprise that has a website and provides network services, the report suggests.
“It is important for companies to note the imprecision and breadth of the CSL as well as the 2015 National Security Law, because both contain vague language that can be invoked by Chinese authorities to compel national security reviews, data sharing with government authorities, and even inspections into proprietary technology or intellectual property,” the report warns.