(Lack of) Privacy: Security analyst firm Recorded Future has published a report detailing the potential impact of China’s updates to its cybersecurity law that came online last November. Bottom line: they can hack any company with online services in China under the guise of searching for security flaws, and they can access and copy all user data while doing so.
The new provisions supposedly have the goal of protecting Chinese citizens by letting the Ministry of Public Security (MPS) perform remote or on-site penetration testing and network analysis. They’re allowed to target any company that provides internet services in China or any company with online computers in China.
However, nowhere does it say that they must disclose those security flaws to the company, nor help patch them. They also don’t have to reveal what part of the company’s network they’ll be looking at, or what data they’re copying. That’s possibly the worst bit: the government gets a copy of ALL user data a company has connected to their Chinese network, which may extend to other countries depending on the company.
While the new provision lets the MPS walk in the door of any company at any time with minimal prior notice, that’s not necessarily how they’ll access information. Penetration testing, which normally has the goal of finding flaws by attempting to hack a network, doesn’t have to stop when flaws are exposed. The MPS is permitted to exploit any flaws they discover however they like.
Even in the case that there aren’t any vulnerabilities discovered, the MPS also has the power to force a company into creating a backdoor. No simply isn’t an answer, not when the MPS has the People’s Armed Police helping them in every single on-site operation.