August 31, 2017 • Insikt Group
In this post, we offer in-depth analysis of the Chinese information security organizations tapped to support the national security review portion of China’s new cybersecurity law (CSL) and reveal an expanded role for an office run by the Ministry of State Security.
On June 1, 2017, after years of domestic and international debate, China’s national cybersecurity law finally went into effect. Much of the law focused on the protection of Chinese users’ data, while assessments of the law emphasized the potential negative impacts to foreign companies and technologies and the difficulties in complying with the onerous, vague, and broad new legal requirements.
Recorded Future’s research has focused on the broad powers the cybersecurity law gives to the China Information Technology Evaluation Center (CNITSEC), an office in China’s premier foreign intelligence service, the Ministry of State Security (MSS). The law gives “network information departments,” including CNITSEC, the power to conduct “national security reviews” (see Article 35) of technology that foreign companies want to use or sell in the Chinese market.
The MSS’s integration into the information security architecture of China via CNITSEC will (1) possibly allow it to identify vulnerabilities in foreign technologies that China could then exploit in their own intelligence operations, and (2) create an impossible choice for foreign companies between giving their proprietary technology or intellectual property to the MSS and being cut out of the mainland Chinese information technology market, which is projected to reach $242 billion in 2018.
In our May 2017 blog post attributing the threat actor group APT3 to the Chinese MSS, we also identified a Chinese information security organization that is actually run by the MSS — CNITSEC, also referred to in this piece as “the center.”
According to academic research published in “China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain,” CNITSEC is run by the MSS and houses much of the intelligence service’s technical cyber expertise. CNITSEC is used by the MSS to “conduct vulnerability testing and software reliability assessments.” Per a 2009 U.S. State Department cable, it is believed China may also use vulnerabilities derived from CNITSEC’s activities in intelligence operations. CNITSEC’s former Director and current party secretary, Wu Shizhong, even self-identifies as MSS, including his work as a deputy head of China’s National Information Security Standards Committee as recently as January 2016.
CNITSEC’s role in the new information technology regulatory regime has become apparent only over the last few months as the Chinese state began to finalize and publicize regulations in support of the CSL.
Cybersecurity Law Is Broad and Language Is Vague
Before delving into CNITSEC’s role, it is important to first review relevant sections of the CSL and the obligations foreign companies are likely to incur (for a good English-language translation, please see China Law Translate). It is important for companies to note the imprecision and breadth of the CSL as well as the 2015 National Security Law, because both contain vague language that can be invoked by Chinese authorities to compel national security reviews, data sharing with government authorities, and even inspections into proprietary technology or intellectual property.
Upon its passage in November 2016, one of the poorest-defined sections of the law was “Chapter Three: Network Operations Security.” Chapter three includes 18 articles which define the “network security protection” responsibilities of “network operators” and additional legal responsibilities for companies that operate “critical information infrastructure.”
Only one of the three terms referenced above was defined in the law itself. The CSL states that “network operators” are “network owners, managers, and network service providers.” According to a KPMG analysis of the law:
Enterprises and institutions that provide services and conduct business activities through networks may also be defined as “network operators.” In addition to traditional telecom operators and internet firms, network operators may also include:
This is such a broad interpretation of the term that it could encompass any business that uses the internet or collects user data in China. Further, companies that are categorized as “network operators” are subject to a review by government regulators if they ever wish to transfer large amounts of user data abroad (see Article 37).
According to Article 28 of the CSL, “network operators” are also obligated to provide assistance to “preserve national security and investigate crimes” to public and state security agencies. This could place companies in a position of having to provide information to Chinese law enforcement and state security organizations on users or activities that are not considered crimes in the west, particularly “internet-related crimes.” Some of these “internet-related crimes” include using the internet to “fabricate or distort facts, spread rumors, disturbs social order,” “insult or slander others,” and to propagate “harmful information.”
A subset of “network operators” are classified by the law as operating “critical information infrastructure” and subject to even greater regulations and reviews. The text of the CSL classifies “critical information infrastructure” as:
Public communication and information services, power, traffic, water, finance, public services, electronic government (e-gov), and other critical information infrastructure that if destroyed, lost functionality, or leaked data, might seriously endanger national security, the national economy and the people’s livelihood, or the public interest.
The Chinese state’s definition of “national security” was formalized in the July 2015 “National Security Law” as:
The relative absence of international or domestic threats to the state’s power to govern, sovereignty, unity and territorial integrity, the welfare of the people, sustainable economic and social development, and other major national interests, and the ability to ensure a continued state of security.
Companies in this sector, and any products or services purchased by them, will also be subject to a “national security review,” which the Financial Times reported allows the government to “request computer program source code” and “delve into companies’ intellectual property.” The article also states that “even fast-food delivery companies could be considered critical infrastructure, Shanghai regulators ruled during a pilot run for the law,” probably because they possess personal information on millions of Chinese users.
CNITSEC’s Role in CLS Provides MSS Collection Opportunities
As outlined in our blog on APT3 and the MSS and detailed again above, CNITSEC has never officially acknowledged its relationship with the MSS, but the center’s mandate to serve the Chinese state, party, and government organizations, as well as conduct reviews under the CSL, is well-documented.
Wang (photo below) also emphasized in this speech that the CSL national security reviews would focus on the possible impact on national security, security risks, security reliability, control, security mechanisms, and technological transparency. He continued to maintain that the reviews would be conducted by professional “third parties” that were ostensibly objective and independent, however, with CNITSEC, an office within the MSS, emerging as a certified national security reviewer, it calls into question any other organization that has also been certified.
CNITSEC also runs the China National Vulnerability Database of Information Security (CNNVD), which is the nation’s information security assessment center, and is responsible for the construction, operation, and maintenance of the national information security vulnerability data management platform.
Overtly, CNNVD operates similarly to other National Vulnerability Databases (NVD), such as the U.S. government’s National Institute of Standards and Technology (NIST) NVD, which is run by a division within the Department of Homeland Security (DHS), tasked with publicly identifying, reporting, and creating patches for software vulnerabilities. While there is not an exact DHS equivalent in China, the Ministry of Public Security (MPS) mission and scope is most similar and is widely considered China’s DHS counterpart. The MSS’s most similar U.S. counterpart is the Central Intelligence Agency (CIA); however, the MSS is also empowered to collect intelligence within China, with some functions resembling the Federal Bureau of Investigation (FBI). For comparison, the MSS running the CNNVD would be roughly the equivalent of the CIA running the NIST NVD.
The fundamental problem with the MSS running CNITSEC and CNNVD, and more broadly, the MSS’s role in China’s information security organizational infrastructure, is that the MSS is China’s “leading civilian intelligence agency,” responsible for both foreign intelligence and counterintelligence operations. According to “China’s Security State: Philosophy, Evolution, and Politics,” the MSS is “responsible for collecting and assessing civilian intelligence relevant to national security and for conducting counter espionage operations against foreign countries.”
This means that the MSS is using the broad language and new authorities in China’s cybersecurity law to possibly gain access to vulnerabilities in foreign technologies that they could then exploit in their own intelligence operations. The MSS has a voice in which vulnerabilities are reported via the CNNVD, because they run it; they could also easily identify and hide from the public a critical weakness in software or hardware, then turn around and use it in their own operations.
There are two critical differences in the way the MSS could run the CNNVD and how the CIA or NSA interact with the NIST NVD system. First, while it has been widely documented that the vulnerabilities exploited by the ETERNAL series of NSA tools were not identified to Microsoft or the NIST NVD before they were acquired by the ShadowBrokers group, NSA is not on the NIST NVD and did not actively censor these vulnerabilities from the database. The MSS (via CNITSEC) runs the CNNVD and can choose to repress or control the vulnerabilities that are reported to the public.
Second, the MSS could leverage research conducted by the CNNVD to support their operations. U.S. intelligence agencies such as the NSA and CIA identify vulnerabilities based on their own research and are not allowed to leverage NIST NVD’s non-public research.
The vagueness and opacity of the definitions in the CSL means that many foreign companies, especially those considered part of the “critical information infrastructure,” will have to make the grim choice between giving their proprietary technology/intellectual property to the MSS and being excluded from the mainland Chinese market. Allowing their technology to be security reviewed by the MSS could have a secondary ramification of putting current customers or users at increased risk for Chinese state-sponsored cyberattacks.
Foreign companies seeking to conduct business in China, especially those in the “critical information infrastructure” sectors, now face a host of technical, legal, and ethical decisions about operating in China that might not have been previously considered. These decisions will impact both the tactical and strategic plans and operations for companies in a wide range of industry verticals.
First, with the knowledge that the MSS could discover and operationalize vulnerabilities in proprietary products or services, companies need to evaluate three possible risk scenarios:
Most products and services utilized in China will not be wholly unique from their global counterparts, raising the risk that vulnerabilities discovered by the MSS could be utilized to exploit international users of these machines, networks, products, and services. Companies in this loosely defined “critical information infrastructure” sector are at greatest risk. These likely include software and hardware vendors; SaaS (software as a service), IaaS (infrastructure as a service), PaaS (platform as a service) companies; cloud, security, and network providers; and many more.
Second, cooperating with Chinese authorities by providing information on the subjects of domestic investigations could open companies to public criticism in Europe and North America, lawsuits, and possible censure from multiple levels of government. In 2007, Yahoo found itself in the crosshairs of a bi-partisan congressional hearing after providing information to the Chinese authorities that was connected to the imprisonment of a dissident journalist. The company’s CEO and General Council were branded “moral pygmies,” and “irresponsible” by the chairman of the House Foreign Affairs Committee, and has been forced to defend its reputation with civil rights groups since the incident. Yahoo was even forced to settle a private lawsuit stemming from their cooperation with the Chinese government. Moving forward, even more companies will be forced to thread the needle between compliance with Chinese regulations and following Western business ethics to avoid similar difficulties in the future.
This is not meant to replace legal advice or counsel. Please make sure to consult local legal counsel for additional concerns regarding China’s cybersecurity law.