- CHINA LAW BLOG - Oct 13, 2020 -
This is the third in a four-part series on China cybersecurity. This series stems from the recent webinar at which I discussed cybersecurity in China. To watch that webinar, go here. To read part 1 of this series, go here. Part 1 described the cybersecurity situation in China. To read part 2 of this series, go here. Part 2 explains why cryptography is not a solution and it looks at the Golden Tax Malware Program as an example of CCP malware. In this Part 3, I discuss how companies are essentially forced to into an insecure network system so as to expose their data to the CCP and I examine the international implications of this. In part 4, I will address head-on practical options foreign companies have for dealing with China’s cybersecurity system.
VI. How Companies are Pushed into an Insecure Network System.
As we have seen, the goal of the CCP and its agents is to push all businesses, foreign and domestic, into an insecure network system that allows CCP surveillance, control and full access to all data stored or transmitted over networks within the PRC. So: how do they do it.
A. The Chinese Government is the Hacker.
The basic goal of the PRC Comprehensive National Security (总体国家安全）concept in the network realm is for all network communication and information to be open and available to the Chinese government while blocked from access to parties outside the state. In keeping with this concept, the government seeks to ensure all network activity conducted within China is transparent to the state. This program is applied to all persons (individuals or entities) that operate within the borders of the PRC (and now Hong Kong and Macao). If you operate in China, you must assume all your networked data and communications are subject to capture by the Chinese government. There is no longer any privileged status given to foreign invested companies or to foreign nationals; Once within the borders of the PRC, their treatment is the same as for domestic companies and Chinese nationals.
So how does the PRC government implement this program? The key point is that the Chinese government is the hacker. When the hacker is directly involved in creating and policing the Internet and the key agent for implementing cybersecurity, it is axiomatic there will be no protection from the network intrusion/data collection activities of that hacker. The hacker dictates how the system will work and it of course provides no protection against its own activities.