The United States Department of Homeland Security (DHS) has published a new advisory warning businesses of the risks using tech and data services linked to the People’s Republic of China (PRC).
In a 15-page “Data Security Business Advisory” report, the DHS provides the risks, historic timelines and actions needed for businesses to safeguard against PRC-linked threats.
The DHS highlights the risks in an excerpt from the report:
“Businesses expose themselves and their customers to heightened risk when they share sensitive data with firms located in the PRC, or use equipment and software developed by firms with an ownership nexus in the PRC, as well as with firms that have PRC citizens in key leadership and security-focused roles (together, “PRC firms”). Due to PRC legal regimes and known PRC data collection, practices, this is particularly true for data service providers and data infrastructure.”DHS
Moreover, the report underscores data collection actions from the PRC could result in the following risks to U.S. businesses:
- Theft of trade secrets, intellectual property and other confidential business information.
- Violations of U.S. privacy laws.
- Breaches of contractual provisions and terms of service.
- Security and privacy risks to customers and employees.
- Risk of PRC surveillance and tracking of regime critics.
- Reputational harm.
The DHS also warns how actions from the Chinese Communist Party (CCP) and new PRC laws have further enticed Chinese firms into secretly cooperating with and sending data to the Chinese government, such as security and intelligence services. These actions could also allow “PRC government data, logical access, encryption keys, and other vital technical information, as well as to install ‘backdoors’ or ‘bugdoors’ in equipment which create security flaws easily exploitable by PRC entities,” DHS further explains.
Furthermore, the CCP has been highly focused on data acquisition to support the “Made in China 2025” plan and objective to reach a global technological superpower by 2049.
U.S. Government actions taken
To help combat against related national and economic security risks, the U.S. Government had previously taken multiple actions.
For instance, on May 15, 2019, President Trump issued an Executive Order on Securing the Information and Communications Technology (ICT) and Services Supply Chain. This order stated that certain transactions are prohibited, such as the “acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service (transaction) by any person, or with respect to any property, subject to the jurisdiction of the United States, where the transaction involves any property in which any foreign country or a national thereof has any interest.”
On June 20, 2019, the United States Trade Representative (USTR) launched a case against China on intellectual property (IP) practices at the World Trade Organization (WTO). Consequently, the USTR imposed tariffs on $50B of PRC imports, which was later expanded to cover $370B.
Throughout 2020, the Department of Justice (DOJ) charged multiple PRC-linked actors of fraud, stealing information or other related criminal activities to include a Harvard professor, two PRC nationals, four People’s Liberation Army (PLA) members and a PRC scientist.
From April through August of this year, the President also issued three other related Executive Orders (EOs):
- EO 13913: Establishing the Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector
- EO 13942: Addressing the Threat Posed by TikTok.
- EO 13943: Addressing the Threat Posed by WeChat.
Risks of data sharing
The DHS report further warns the “PRC legal and regulatory framework around data offers little to no protection to U.S. firms that share data with PRC firms or entities.”
For instance, business should be wary of reputational and other risks related to the following vectors:
- Data centers owned or operated by PRC firms.
- Foreign data centers built with PRC equipment (e.g., Huawei or ZTE equipment).
- Joint ventures.
- Legally acquired data augmenting illicitly acquired data (such as through data brokers).
- Software and mobile apps (e.g., TikTok).
- Fitness trackers and other wearables.
The DHS recommends businesses and individuals that operate within the PRC or do business with PRC-related businesses, to review any business relationship that provides access to sensitive data.
“To the extent possible, they should minimize the amount of at-risk data being stored and used in the PRC or in places accessible by PRC authorities,” DHS warned.
Businesses should look into other alternative well-known service and equipment providers to safeguard sensitive data, such as data linked to export-related products, intellectual property, biotech, medical, personal data and geo-location data.
“Organizations should remain alert when conducting business in China, and IT operators should ensure proper segmentation of their network infrastructure from any external software use,” DHS added.
For those organizations doing business in the PRC, the DHS said they should develop protocols and can also contact the legal attaché at the U.S. Embassy in Beijing upon receipt of PRC demands for potentially sensitive information.
Finally, organizations should prioritize security controls needed to protect related sensitive data. Businesses should read and understand the Cybersecurity Framework published by the National Institute of Standards and Technology (NIST). These include solid guidelines and best practices for managing cybersecurity risks.
Readers can check out the DHS publication to download and read the full Data Security Business Advisory.
- 5 Good Cybersecurity Lessons Learned From FTC Law Enforcement Actions
- Cybersecurity experts reveal growing list of SolarWinds 2nd stage attack victims
- CISA: Threat actors behind SolarWinds hack pose ‘grave risk’ (updated)
- Global active exploits against SolarWinds via Sunburst backdoor
- New CIS Controls Version 7.1 released