The Department of Homeland Security (DHS) has issued a broad warning to all American businesses about potential data theft by partners in China that have connections to the government. The advisory outlines “PRC legal regimes and known PRC data collection practices” that could present a risk to any organization not based in the country, warning that China’s ambitious plans to become the premier “global technological superpower” by 2049 translate into an increased focus on all types of data collection.
According to Chad Wolf, Acting Secretary of the DHS: “For too long, U.S. networks and data have been exposed to cyber threats based in China which are using that data to give Chinese firms an unfair competitive advantage in the global marketplace. Practices that give the PRC government unauthorized access to sensitive data – both personal and proprietary – puts the U.S. economy and businesses at direct risk for exploitation. We urge businesses to exercise caution before entering into any agreement with a PRC-linked firm.”
Data theft warning highlights long-term strategic concerns for US
Underpinning the new data theft warning are two general concerns about the US’s most formidable rival: PRC government access to data held by Chinese companies under the 2017 National Intelligence Law, and the country’s collection of stated trade and economic growth plans.
The National Intelligence Law essentially requires companies in China to provide the government with access to any data they hold upon demand. The DHS warning thus essentially applies to all businesses based in the PRC: those that have an “ownership nexus” in country or that use equipment manufactured by such a company, along with firms that have PRC citizens in “key leadership and security-focused roles.”
The warning also highlights a collection of PRC initiatives meant to bear fruit by 2025-2050, all of which would be supported and accelerated by widespread data theft. The advisory names the “Made in China 2025” plan that seeks to reform the country’s manufacturing sector from a low-tech to a high-tech focus, the “Digital Silk Road” initiative that looks to export telecommunications infrastructure to targeted parts of the world, and the Military-Civil Fusion policy that seeks to have China’s armed forces at a “world class” level by 2049.
Nothing presented in the advisory is new information; it’s essentially an executive summary of the expected data theft risks from PRC entities that store data on Chinese servers or provide hardware, framed in terms of expectations based on geopolitical interests. The advisory echoes the core concerns of many cases that have emerged in the past couple of years, from the ban on Huawei hardware to the proposed ban on TikTok.
The DHS believes that, in keeping with these various strategic initiatives, the Chinese government is stepping up its collection of data through both legal and illegal channels. Its most immediate interest in data is in supporting its shift to a high-tech manufacturing base, something that espionage could provide a massive boost to. Longer-term, the CCP seeks data to improve both its intelligence and military goals by improving both technology and its ability to project propaganda to other nations.
The advisory identifies some specific entities that present an elevated risk of data theft: data centers owned or operated by PRC firms, foreign data centers built with PRC equipment, organizations that have a PRC firm as a joint venture partner, and devices or apps owned by Chinese companies.
The DHS suggests taking account of all sensitive and personal information that is shared with PRC partners and ensuring that contractual agreements stipulate clearly where it is stored and how it is handled. This also applies to reviewing the terms of service of any apps, software and hardware made in China. DHS warns that the CCP is most interested in particular categories of data: high tech, export-controlled products, trade secrets and confidential intellectual property, biotech and genomic data, medical test data, personally identifiable information and geolocation data.
Long history of suspected data theft
Intellectual property theft in the interest of Chinese economic development has been a major problem for organizations in the US for many years, predating both the Trump and Obama administrations. The country has struggled to keep up with the West in technological innovation due to a number of factors, ranging from the nature of the government to domestic law that is weaker on data theft by competitors. A fundamental PRC strategy has been to simply infiltrate or hack into innovative foreign companies, steal confidential information, and use it to create domestic knockoffs. The “Thousand Talents Plan” for recruiting foreign tech and biological experts also essentially incentivized IP theft by requiring candidates to bring research with them, something that led to several high-profile cases of alleged espionage by American researchers.
DHS cautions that American companies should be concerned not just with targeted espionage, but also back doors (or “bugdoors”) built into hardware manufactured in the PRC and distributed for data theft purposes in a more broad fashion. The National Intelligence Law allows for hardware backdoors of this type if they are in the interests of the ruling government.