The US Department of Homeland Security (DHS) warned American businesses of the data theft risks behind using equipment and data services provided by companies linked with the People’s Republic of China (PRC).
The reason that prompted this business advisory is the need to highlight the PRC government-sponsored data theft risk to all organizations and individuals who choose to use collaborate with and use services, software, and devices provided by PRC-linked firms.The DHS said that Chinese companies could be forced by newly enacted PRC laws to cooperate with Chinese security and intelligence services.
Under coercion, Chinese firms can be forced to install backdoors or bugdoors in their hardware, allowing entities associated with the PRC to harvest sensitive information from US companies.
The same laws could also be used to compel Chinese companies "to illicitly provide the PRC government with data, logical access, encryption keys, and other vital technical information."
Businesses, individuals, and other persons, particularly academic institutions, research service providers, and investors (hereafter, businesses and individuals) who choose to procure data services and equipment from PRC-linked firms or who store data on software or equipment developed by PRC-linked firms, should be aware of the economic, reputational, and legal risks associated with doing business with these firms. - DHS
"For too long, U.S. networks and data have been exposed to cyber threats based in China which are using that data to give Chinese firms an unfair competitive advantage in the global marketplace," DHS Acting Secretary Chad F. Wolf said. "Practices that give the PRC government unauthorized access to sensitive data – both personal and proprietary – puts the U.S. economy and businesses at direct risk for exploitation. We urge businesses to exercise caution before entering into any agreement with a PRC-linked firm." The information theft efforts underlined by DHS's advisory are powered by the Chinese Communist Party (CCP) focus on data acquisition to support goals outlined in the PRC "Made in China 2025" plan whose end goal is to make China the "leading global technological superpower by 2049."
The U.S. Government has responded to several instances of CCP data theft this year in an effort focused on mitigating national and economic security including:
- On January 28, 2020, the Department of Justice (DOJ) charged Harvard University’s Chemistry Department Chair and two PRC nationals with undisclosed research funding, visa fraud, acting as an agent of a foreign government, and smuggling biological research to illicitly aid China’s research efforts.
- On February 10, 2020, DOJ charged four People’s Liberation Army (PLA) members with hacking into the computer systems of the credit reporting agency Equifax and stealing information of nearly 150 million Americans.
- On February 27, 2020, DOJ announced a PRC scientist was sentenced to 24 months in federal prison for stealing proprietary information worth more than $1 billion from a U.S. petroleum company.
- On July 21, 2020, the Federal Bureau of Investigations (FBI) issued an 11-count indictment alleging two Chinese nationals conducted a 10-year hacking campaign, targeting industries in multiple countries.
- On August 6, 2020, the President issued two separate Executive Orders, the first, Executive Order 13942 Addressing the Threat Posed by WeChat and, the second, Executive Order 13943 Addressing the Threat Posed by TikTok.
'Clear and present danger'While delivering remarks on DHS’s response strategy to this threat, Wolf said that "the PRC is a clear and present danger that we cannot afford to ignore." He also provided examples of China's efforts to harvest data from American individuals and businesses.
For instance, "DHS is reviewing entities such as the Chinese manufacturer TCL," Wolf said. "This year it was discovered that TCL incorporated backdoors into all of its TV sets exposing users to cyber breaches and data exfiltration."
"TCL also receives CCP state support to compete in the global electronics market, which has propelled it to the third-largest television manufacturer in the world."
But buried within its business-like announcement of the indictment of four Chinese military hackers, there is the following statement, which has huge implications for privacy: For years, we have witnessed China’s voracious appetite for the personal data of Americans, including the theft of personnel records from the U.S. Office of Personnel Management, the intrusion into Marriott hotels, and Anthem health insurance company, and now the wholesale theft of credit and other information from Equifax.
DHS recommends U.S. businesses to implement appropriate cybersecurity safeguards that could help as part of a multilayered data security policy."Businesses should familiarize themselves with the Cybersecurity Framework published by the National Institute of Standards and Technology (NIST), a voluntary framework that includes standards, guidelines, and best practices to manage cybersecurity risk," the DHS added. The US State Department also warned that American retail investors are funding CCP and Communist Chinese military companies (CCMCs) involved in tech production for "the surveillance of civilians and repression of human rights."
"As of December 2020, at least 24 of the 35 parent-level CCMCs had affiliates’ securities included on a major securities index," the State Department said. " This includes at least 71 distinct affiliate-level securities issuers. There are also at least 13 PRC firms on the Entity List whose parent company or affiliates are included in the MSCI or FTSE stock indices."
Related Articles:FBI, CISA officially confirm US govt hacks after SolarWinds breachCISA: Hackers breached US govt using more than SolarWinds backdoor
FBI and Homeland Security warn of APT attacks on US think tanksChinese APT10 hackers use Zerologon exploits against Japanese orgsFBI: Hackers stole government source code via SonarQube instances