The Chinese government places some strict regulations on foreign firms operating in the country. Last year, the administration passed a new set of laws that further breached the rights of foreign companies by allowing law enforcement agencies to snoop on their networks and even censor them, if required.
In November 2018, the Chinese government announced updates to the 2017 Cybersecurity Law that gives the Ministry of Public Security (MPS) immense powers. The MPS will now be able to do an on-site inspection and remote pentesting (penetration testing or ethical hacking) of any foreign firm that has five or more computers connected to the Internet. This essentially means that every business operating in China is now essentially a target for government spying.
In the case of on-site inspection, the People’s Armed Police (PAP) will be present to ensure compliance of the business. However, remote inspection allows the MPS to contract non-governmental agencies to carry out the task. This is highly problematic since a third-party, other than the government, will now have access to the company’s data, without the firm even knowing about it.
The MPS has the right to copy any content it wishes from the network of the foreign company. This could potentially allow the state’s surveillance department to keep track of the firm’s inner workings as well as its customers. The MPS is under no obligation to give any kind of notice to a company before inspecting it. Security experts advise foreign firms in China to regularly conduct patch management to block government inspectors from accessing any sensitive data or gain unwanted privileges over the network.
“Since the scope of inspections is not limited in these new regulations, Article 16 may also empower MPS officers to access parts of the company’s enterprise not even related to or within territorial China… The implications for unlimited remote inspections on the networks of international corporations could be far-reaching and create significant risk for customers and international operations,” a report by Recorded Future states (InfoSecurity).
There is also a possibility that the Chinese government might use the law to identify vulnerabilities in the source code of Western technologies. Before these new updates to China’s cybersecurity law, foreign firms could have avoided the prying eyes of the Chinese regime gaining access to such sensitive information.
New investment laws
It is not just new cybersecurity laws that have made foreign companies worried about their Chinese operations. Beijing is apparently working on new rules on foreign investment, a draft of which will be put before the Congress by early March.
“While the current draft responds to some longstanding criticisms from foreign firms, vowing to protect their intellectual-property rights and ban coerced technology transfers, it contains vague language on national security reviews, government expropriation and other matters officials could use against foreign firms. It also ignores the long-running practice of subsidizing state-owned enterprises — a sore point for the Trump administration that some businesses hoped would be addressed,” according to The Wall Street Journal.
The draft is said to contain a rule that gives China freedom to claim foreign investment on behalf of ‘public interest’. Given the pathetic record of Beijing in protecting business sovereignty, many firms feel that this law could easily be misused by the Chinese regime. The communist government has given businesses until February 24, 2019, to provide feedback on the draft.