The U.S. government is again reminding American businesses of the inherent dangers of using software and services connected to China.
In an advisory, released shortly before many organizations went on Christmas break last year, the United States Department of Homeland Security (DHS) urged organizations and agencies alike to exercise caution when either working with or interacting with firms based in the People's Republic of China.
Federal entities have of course outlined risks associated with China before but the DHS says this report is largely based on data collection actions prompted by PRC laws already on the books in the country that could press companies there into surrendering data to the government.
Companies may not realize that these so-called "asymmetrical advantages" - the lack of robust privacy laws, IP rights, and human rights protections - could open the door to data theft by "co-opting PRC firms to act as proxies and tools of the CCP," or the Chinese Communist Party.
These actions can have an adverse effect on U.S. businesses' trade secrets, intellectual property, and other confidential business information, DHS warns. They can also lead to “violations of U.S. export control laws; violations of U.S. privacy laws; breaches of contractual provisions and terms of service; security and privacy risks to customers and employees; risk of PRC surveillance and tracking of regime critics; and reputational harm to U.S. businesses."
In the document (.PDF) - which the DHS technically refers to as a Data Security Business Advisory - the agency covers PRC laws – including recent laws like the PRC Data Security Law of 2020 and PRC Cryptography Law of 2020 – that can ultimately be used by the CCP to get Chinese firms to offer up data, access, or encryption keys. The document also details actions organizations can take to mitigate the risks.
Even in instances where data may not appear like its in jeopardy, like when data is processed by fitness trackers and other wearable technology, it could be obtained - and cross-referenced with the help of the 2017's National Intelligence Law in China.
Organizations, the DHS asserts, should be aware of the risks of doing business with firms affiliated with the PRC in the first place. If a relationship is already in place, the businesses should also have the appropriate policies, practices, and internal controls in place to maintain best practices in data security.
To ensure that data remains secure, organizations should minimize any data that's stored or used by the PRC, perform transaction monitoring, review terms of service, and remain alert when conducting business in China.
If they’re not already, firms that use or store data in the PRC should ensure that the following types of data is considered sensitive:
1. Technology and other data in connection to export-controlled products.
2. Intellectual property, including trade secrets, relating to emerging technologies identified in China 2025 and other PRC plans.
3. Biotech, genomic data, and medical test data
4. Personally-identifiable and other sensitive information.
5. Geolocation data
The U.S. has taken a handful of steps over the last several years to crackdown on risks and actions associated with CCP sponsored data theft.
The U.S. publicly accused two Chinese hackers working for Beijing last summer of trying to steal terabytes of sensitive coronavirus vaccine research data from biotech firms. Also last year, the US Justice Department charged Chinese military workers for stealing 145 million U.S. citizens' data in 2017's Equifax hack, an attack that's widely viewed as the worst corporate data breach ever.
That's in addition to the countless cases the DOJ has lodged recently against scientists and academics affiliated with China who took jobs in the U.S. in order to steal or attempt to steal proprietary information from U.S. firms.
