China's new cyber security law could be invoked by government agencies to inspect or obtain proprietary technology or intellectual property from foreign companies.
Foreign companies could be forced by the Chinese government to hand over source codes of their technologies for testing vulnerabilities.
Enacted in June, China's new cyber security law aims to protect citizens' data and to ensure that the country's information technology infrastructure is not affected by security flaws. At the same time, it is a strong weapon which the government can use to keep a close eye on VPNs used by foreign firms doing business in the country.
Back in August, we reported that the new cyber security law ensures critical personal data of Chinese citizens cannot be stored outside China without express permission from the Chinese government. In a revealing blog post, Recorded Future now contends that the new law will also enable the China Information Technology Evaluation Center (CNITSEC) which is run by the Ministry of State Security (MSS), to obtain source codes of technologies owned by foreign companies under the garb of vulnerability testing.
IT companies and those companies that hold customer data are now, under the new cyber security law, subject to a national security review that allows the government to request source codes and delve into companies' intellectual property.
At the same time, companies may also be obligated to turn over information and sensitive data to Chinese authorities to “preserve national security and investigate crimes". According to Recorded Future, these crimes may include using the internet to fabricate or distort facts, spread rumors, disturbs social order, insult or slander others, and to propagate harmful information.
READ MORE: China’s new cybersecurity law forbids citizens’ personal data to be stored outside China
The definition of network operators in the new cyber security law is also so wide and vague that it includes almost every foreign business operating in the country. As per the new law, a 'network operator' could be a financial institution that collects citizens’ personal information and provides online services, a provider of cyber security products and services, an enterprise running a website, or even an enterprise conducting business activities through networks.
"The vagueness and opacity of the definitions in the CSL means that many foreign companies, especially those considered part of the “critical information infrastructure,” will have to make the grim choice between giving their proprietary technology/intellectual property to the MSS and being excluded from the mainland Chinese market," reads a White Paper published by Recorded Future.
"Allowing their technology to be security reviewed by the MSS could have a secondary ramification of putting current customers or users at increased risk for Chinese state-sponsored cyberattacks," it adds.
The White Paper also looks at the risks that companies face even if they comply with the new cyber security law. Providing information to Chinese authorities may attract the ire of western countries who may not be so inclined to see the Chinese obtaining sensitive data.
Recorded Future cites the example of Yahoo whose CEO had to appear before the House Foreign Affairs Committee in the US after the company handed over sensitive information to the Chinese about the imprisonment of a dissident journalist. The company has also faced a number of lawsuits since the incident concerning the privacy of citizens and data belonging to certain countries.
'Foreign companies seeking to conduct business in China, especially those in the “critical information infrastructure” sectors, now face a host of technical, legal, and ethical decisions about operating in China that might not have been previously considered. These decisions will impact both the tactical and strategic plans and operations for companies in a wide range of industry verticals,' the firm concluded.