In the technology battles between the United States and China, the sensational hacks of American information technology systems revealed by the Department of Justice and the controversies over Huawei’s 5G wireless communications technology and TikTok’s video app dominate the headlines.
But the Chinese government of President Xi Jinping appears to be quietly setting the stage for a more pervasive, ongoing penetration of America’s networks, creating a national security problem that chief executive officers can no longer ignore or minimize. As part of its Digital Silk Road strategy, China is actively pursuing several vectors to achieve outright dominance of the world’s computer systems, including America’s.
The most concerning vector for companies operating in China appears to be a series of new Chinese laws that began taking effect in 2015 covering national security, national intelligence, and cybersecurity. Collectively, they have set the legal groundwork for the Chinese Communist Party to access all network activity that occurs in China or in communications that cross its borders. The culmination of this legal maneuvering appears to be the updated Multi-Level Protection System (MLPS 2.0), which came into effect in December 2019 and is gradually being rolled out.
Consisting of over one thousand pages and published only in Chinese, MLPS 2.0 sets out the technical and organizational requirements to which every company and individual in China must adhere. MLPS 2.0 gives “the legal authority to go in and ensure that a foreign company’s system is completely open to inspection and retrieval of information by the Communist Party,” says Steve Dickinson, an attorney with Harris Bricken, a Seattle-based international law firm with offices in Beijing. In other words, China has stripped away the legal grounds for an American company operating in China to protect its network from inspection by the Ministry of Public Security—the country’s feared law enforcement agency.
While no Chinese law grants the authority to install malware or backdoors in corporate networks, under MLPS 2.0, “anything the company would install on its Chinese system to prevent that will be neutralized,” Dickinson said. As a result, the global systems of any foreign company in China could now be within reach of Chinese authorities. Dickinson, who speaks and reads Mandarin, spent fifteen years advising companies in China.
Samm Sacks, another leading China technology specialist at Yale Law School’s Paul Tsai China Center and a Cybersecurity Policy Fellow at New America, told a Senate Judiciary subcommittee earlier this year she believes that, despite the new legal framework, bureaucrats at the provincial or municipal level will seek to retain the confidence of foreign companies and try to prevent national-level security officials from interfering too much. However, “decisions on the application of MLPS 2.0 are not made by local government officials,” notes Dickinson, “but by the Ministry of Public Security, supported by the Ministry of State Security, and implemented by China Telecom.” The Ministry of State Security is China’s international espionage organization. As Xi increasingly centralizes control, it appears at least some American corporate networks will be subject to inspection and de facto control—if they have not already have been.
Also of concern is that this legal framework enables China to require foreign companies to use specific software, encryption keys, and cloud computing providers that are under the Communist Party’s control. As a result, Chinese intelligence and security services can obtain direct access to corporate data through Chinese cloud providers, install Remote Access Trojans (RAT) or backdoors, and decrypt corporate data—all without the company’s knowledge. One clear example of interference is the case of Golden Tax software, a program required by the Chinese government for use in filing tax statements to it. Security firm TrustWave has reported that the software contains malware, which gives the government access to the user’s network.
Dickinson says it is “likely” the Chinese government will attempt to use its presence in U.S. corporate systems in China to leap into their parent company’s systems in the United States, but there have yet to be any publicly reported cases. One reason may be that such penetrations would be essentially invisible because they would appear to be legitimate traffic. While many companies segment their systems in China from their global networks, complete segmentation is nearly impossible.
Another important vector for penetration was revealed by the Cybersecurity and Infrastructure Security Agency (CISA) in September in cooperation with the Federal Bureau of Investigation (FBI). In a report that went largely unnoticed, CISA said the Ministry of State Security was using open source tools and well-known tactics to target numerous U.S. government agencies and commercial entities inside the United States. China’s top spying agency, it seems, is roaming through U.S.-based computing systems at will.
China also continues to target U.S. corporate and government networks in the United States through other unconventional means. A 2018 report by the U.S.-China Economic and Security Review Commission said more than half of the products used by seven major U.S. technology companies and their suppliers were made in China. They were Hewlett-Packard, International Business Machines Corporation, Dell, Cisco, Unisys, Microsoft and Intel. Chinese-manufactured equipment is inherently vulnerable to compromise. In the case of motherboards sourced from China by Super Micro Computer, Bloomberg Business Week revealed that the People’s Liberation Army had installed tiny semiconductors that would allow the army to communicate directly with SuperMicro servers in use in the United States. The article was vehemently denounced by Amazon, Apple and other companies, but was never discredited. Since then, industry sources have confirmed they struggle to prevent Chinese employees from inserting malware on motherboards assembled in China. Motherboards are the “brains” of many computing systems.
The problem is even worse when the use of “white labeling” by American companies is factored in. Many American tech companies sell products in the United States with the American company’s brand name on it, but with components or whole devices made by the likes the Huawei or ZTE. While American companies reap the benefit of more cheaply manufactured Chinese components, the risk of compromise is unknowingly borne by the customer, which, in many cases, can be the U.S. government, according to Krebs on Security.
What are the Chinese doing, or what might they do, with this multifaceted penetration of American information and technology systems? The first issue is data. The Chinese government has been gathering massive amounts of data through both licit and illicit means—namely, through acquisitions of Western companies with large user databases and through major hacks, such as those breaching Marriott, Equifax and the Office of Personnel Management, obtaining hundreds of millions of data points on American citizens and U.S. government personnel. One such hacking group, nicknamed “Wicked Panda,” was revealed by the Department of Justice in September to be associated with the Ministry of State Security. Wicked Panda has penetrated the supply chains of several major software manufacturers, impacting hundreds of thousands of users worldwide.
Yale’s Sacks told the Senate subcommittee that different government entities in China that possess the data do not necessarily cooperate. But it seems clear from Xi’s authoritarian push that the purpose behind gathering the enormous amounts and types of data is to centralize it so that profiles can be built on American companies, individuals, and technologies. China recently named Wang Yingwei, a renowned data scientist, as the head of its Cybersecurity Bureau within the public security ministry. It is clear that China is doubling down on Big Data, and the centralization of data and the recognition of patterns are crucial to this effort.
Reorganizations of the People’s Liberation Army and Ministry of State Security, China’s external spying agency, in the 2016–2017 timeframe also appear to be resulting in greater centralization and coordination of China’s hacking activity, says Ben Read, senior manager of analysis at Mandiant Threat Intelligence, a FireEye unit, in Washington, DC. “They’re trying to be more efficient and mature as an intelligence organization,” Read says. “They are going after telecommunications providers and managed service providers, single places that have a lot of data, rather than going after four or five different targets.” A managed service provider (MSP) manages a company’s IT system, either on the company’s premises or offsite in the computing cloud. An MSP does this for multiple customers, so if a Chinese hacker penetrates its system, the hacker can “hop” into the systems of multiple customer companies.
Read said five or six different Chinese hacking groups used to go after the same U.S. technological target, in effect tripping over each other. But now FireEye can see that overlap has been greatly reduced. “They’re definitely increasing their integration,” he said.
The second capability China seems to be trying to achieve is locating specific technologies it needs to complete its Made in China 2025 plan—its ambitious strategy to dominate key technologies. Information that travels over the Internet is organized into small informational units called packets, and those packets can be inspected by the network owner. Having access to U.S. and Western corporate networks in China enables Chinese government authorities to “packet sniff” all traffic to find the precise terminology associated with a technology they are searching for. There appears to be little stopping China from doing the same in a company’s global network.