Is China Seeking A Secretive, Permanent Presence in America’s Computers?
In the technology battles between the United States and China, the sensational hacks of American information technology systems revealed by the Department of Justice and the controversies over Huawei’s 5G wireless communications technology and TikTok’s video app dominate the headlines.
But the Chinese government of President Xi Jinping appears to be quietly setting the stage for a more pervasive, ongoing penetration of America’s networks, creating a national security problem that chief executive officers can no longer ignore or minimize. As part of its Digital Silk Road strategy, China is actively pursuing several vectors to achieve outright dominance of the world’s computer systems, including America’s.
The most concerning vector for companies operating in China appears to be a series of new Chinese laws that began taking effect in 2015 covering national security, national intelligence, and cybersecurity. Collectively, they have set the legal groundwork for the Chinese Communist Party to access all network activity that occurs in China or in communications that cross its borders. The culmination of this legal maneuvering appears to be the updated Multi-Level Protection System (MLPS 2.0), which came into effect in December 2019 and is gradually being rolled out.
Consisting of over one thousand pages and published only in Chinese, MLPS 2.0 sets out the technical and organizational requirements to which every company and individual in China must adhere. MLPS 2.0 gives “the legal authority to go in and ensure that a foreign company’s system is completely open to inspection and retrieval of information by the Communist Party,” says Steve Dickinson, an attorney with Harris Bricken, a Seattle-based international law firm with offices in Beijing. In other words, China has stripped away the legal grounds for an American company operating in China to protect its network from inspection by the Ministry of Public Security—the country’s feared law enforcement agency.
While no Chinese law grants the authority to install malware or backdoors in corporate networks, under MLPS 2.0, “anything the company would install on its Chinese system to prevent that will be neutralized,” Dickinson said. As a result, the global systems of any foreign company in China could now be within reach of Chinese authorities. Dickinson, who speaks and reads Mandarin, spent fifteen years advising companies in China.
Samm Sacks, another leading China technology specialist at Yale Law School’s Paul Tsai China Center and a Cybersecurity Policy Fellow at New America, told a Senate Judiciary subcommittee earlier this year she believes that, despite the new legal framework, bureaucrats at the provincial or municipal level will seek to retain the confidence of foreign companies and try to prevent national-level security officials from interfering too much. However, “decisions on the application of MLPS 2.0 are not made by local government officials,” notes Dickinson, “but by the Ministry of Public Security, supported by the Ministry of State Security, and implemented by China Telecom.” The Ministry of State Security is China’s international espionage organization. As Xi increasingly centralizes control, it appears at least some American corporate networks will be subject to inspection and de facto control—if they have not already have been.
Also of concern is that this legal framework enables China to require foreign companies to use specific software, encryption keys, and cloud computing providers that are under the Communist Party’s control. As a result, Chinese intelligence and security services can obtain direct access to corporate data through Chinese cloud providers, install Remote Access Trojans (RAT) or backdoors, and decrypt corporate data—all without the company’s knowledge. One clear example of interference is the case of Golden Tax software, a program required by the Chinese government for use in filing tax statements to it. Security firm TrustWave has reported that the software contains malware, which gives the government access to the user’s network.
Dickinson says it is “likely” the Chinese government will attempt to use its presence in U.S. corporate systems in China to leap into their parent company’s systems in the United States, but there have yet to be any publicly reported cases. One reason may be that such penetrations would be essentially invisible because they would appear to be legitimate traffic. While many companies segment their systems in China from their global networks, complete segmentation is nearly impossible.
Another important vector for penetration was revealed by the Cybersecurity and Infrastructure Security Agency (CISA) in September in cooperation with the Federal Bureau of Investigation (FBI). In a report that went largely unnoticed, CISA said the Ministry of State Security was using open source tools and well-known tactics to target numerous U.S. government agencies and commercial entities inside the United States. China’s top spying agency, it seems, is roaming through U.S.-based computing systems at will.
China also continues to target U.S. corporate and government networks in the United States through other unconventional means. A 2018 report by the U.S.-China Economic and Security Review Commission said more than half of the products used by seven major U.S. technology companies and their suppliers were made in China. They were Hewlett-Packard, International Business Machines Corporation, Dell, Cisco, Unisys, Microsoft and Intel. Chinese-manufactured equipment is inherently vulnerable to compromise. In the case of motherboards sourced from China by Super Micro Computer, Bloomberg Business Week revealed that the People’s Liberation Army had installed tiny semiconductors that would allow the army to communicate directly with SuperMicro servers in use in the United States. The article was vehemently denounced by Amazon, Apple and other companies, but was never discredited. Since then, industry sources have confirmed they struggle to prevent Chinese employees from inserting malware on motherboards assembled in China. Motherboards are the “brains” of many computing systems.
The problem is even worse when the use of “white labeling” by American companies is factored in. Many American tech companies sell products in the United States with the American company’s brand name on it, but with components or whole devices made by the likes the Huawei or ZTE. While American companies reap the benefit of more cheaply manufactured Chinese components, the risk of compromise is unknowingly borne by the customer, which, in many cases, can be the U.S. government, according to Krebs on Security.
What are the Chinese doing, or what might they do, with this multifaceted penetration of American information and technology systems? The first issue is data. The Chinese government has been gathering massive amounts of data through both licit and illicit means—namely, through acquisitions of Western companies with large user databases and through major hacks, such as those breaching Marriott, Equifax and the Office of Personnel Management, obtaining hundreds of millions of data points on American citizens and U.S. government personnel. One such hacking group, nicknamed “Wicked Panda,” was revealed by the Department of Justice in September to be associated with the Ministry of State Security. Wicked Panda has penetrated the supply chains of several major software manufacturers, impacting hundreds of thousands of users worldwide.
Yale’s Sacks told the Senate subcommittee that different government entities in China that possess the data do not necessarily cooperate. But it seems clear from Xi’s authoritarian push that the purpose behind gathering the enormous amounts and types of data is to centralize it so that profiles can be built on American companies, individuals, and technologies. China recently named Wang Yingwei, a renowned data scientist, as the head of its Cybersecurity Bureau within the public security ministry. It is clear that China is doubling down on Big Data, and the centralization of data and the recognition of patterns are crucial to this effort.
Reorganizations of the People’s Liberation Army and Ministry of State Security, China’s external spying agency, in the 2016–2017 timeframe also appear to be resulting in greater centralization and coordination of China’s hacking activity, says Ben Read, senior manager of analysis at Mandiant Threat Intelligence, a FireEye unit, in Washington, DC. “They’re trying to be more efficient and mature as an intelligence organization,” Read says. “They are going after telecommunications providers and managed service providers, single places that have a lot of data, rather than going after four or five different targets.” A managed service provider (MSP) manages a company’s IT system, either on the company’s premises or offsite in the computing cloud. An MSP does this for multiple customers, so if a Chinese hacker penetrates its system, the hacker can “hop” into the systems of multiple customer companies.
Read said five or six different Chinese hacking groups used to go after the same U.S. technological target, in effect tripping over each other. But now FireEye can see that overlap has been greatly reduced. “They’re definitely increasing their integration,” he said.
The second capability China seems to be trying to achieve is locating specific technologies it needs to complete its Made in China 2025 plan—its ambitious strategy to dominate key technologies. Information that travels over the Internet is organized into small informational units called packets, and those packets can be inspected by the network owner. Having access to U.S. and Western corporate networks in China enables Chinese government authorities to “packet sniff” all traffic to find the precise terminology associated with a technology they are searching for. There appears to be little stopping China from doing the same in a company’s global network.
A final element of the Chinese strategy appears to be achieving the ability to surveil American decision-making systems. “China wants to have somebody sitting in a big control room in Beijing with a set of screens in front of them looking at every computer system in the United States on a real-time basis,” Dickinson said. “Not just computer systems, but also every Internet of Things system, every cell phone system. They’ll use Artificial Intelligence to filter the information so that it’s not just a random blob on the screen. That’s their goal. There’s no question about it.”
As a result of China’s increased sophistication, government agencies, such as the Department of Defense and the Department of Energy, which collectively oversee the nation’s nuclear capability, face vulnerabilities in their supply chains. Chinese hackers target small sub-suppliers that have scant protection and work their way up to larger and larger companies.
The Pentagon’s defense industrial base includes more than three hundred thousand companies, and it faces a constant battle to identify foreign government intrusions. In a hack revealed by the U.S. Department of Justice in 2018, APT10—malicious cyber actors associated with the Ministry of State Security—obtained the names and personal information of over one hundred thousand members of the U.S. Navy as well as ship maintenance records. Governmental departments and agencies often rely heavily on private-sector networks.
American CEOs have been reluctant to face up to the fact that their networks are vulnerable, assuming it is just the cost of doing business in China. Or else they have persuaded themselves that Chinese hackers are not a threat because they don’t actually disrupt a system as the North Koreans did to Sony’s studios in Hollywood. Executives also may fear negative publicity and angry shareholder lawsuits. Perhaps they assume that national security is not their job, but rather the government’s job.
But it appears that China, which has declared a “military-civil fusion,” is exploiting the gaps in the American pluralistic system to undermine both governmental and corporate interests. As U.S.-China technology tensions mount, American companies need to embrace more public-private partnerships with U.S. government entities to secure the nation’s information technology systems.
For starters, the Pentagon needs the authority to obtain visibility into the information and technology systems of all the companies in its supply chain, which it currently lacks. That’s just one piece of the puzzle. Companies have to invest to harden their systems and employ more people to monitor those systems. The American educational system, for its part, must get serious about creating more STEM students so that the United States has the human capital to build and monitor communications infrastructures. American companies must work with the government to bring critical technology manufacturing back to the United States, easing an almost-complete dependence on China in key areas. The new National Strategy for Critical and Emerging Technologies is an important first step. But it clearly will require a massive public-private mobilization, a “whole-of-nation” response, to prevent the United States from sliding into Xi Jinping’s surveillance state.
Americans could once rest comfortably in the assumption that they possessed overwhelming technological dominance. But China’s government is working hard to prove them wrong.
Michael G. McLaughlin is the Senior Counterintelligence Advisor for United States Cyber Command and a Juris Doctor candidate at the University of Maryland School of Law. William J. Holstein is the author of The New Art of War: China’s Deep Strategy Inside the United States.
The views and opinions expressed in this paper and/or its images are those of the authors alone and do not reflect the official policy or position of the U.S. Department of Defense (DoD), U.S. Cyber Command, or any agency of the U.S. government. Any appearance of DoD visual information or reference to its entities herein does not imply or constitute DoD endorsement of this authored work, means of delivery, publication, transmission, or broadcast.