China is well known across the world for its strict measures and legal norms when it comes to the national cyber-space. Many regulations are introduced in order to help keep cyber-crime at bay and to help avoid any illegal online activities. For example, a recent regulation issued by the government of China requires all users who post any sort of web-content to provide their real names as a way of personal verification. Any online service will hence be required to ensure that no user posts or shares anything without having first given their name. You can read more about this here. In the following article, we will go over yet another strict cyberspace regulation which has sparked a couple of important questions that will be addressed down below.
Source code review for foreign companies
As of June the 1st this year, a Chinese law that was voted back in 2016, has come into effect – the new legal norm requires foreign companies that seek to be active on the Chinese market to provide access to their software source code. The agency responsible for the collection and reviewing of the companies’ source codes is the China Information Technology Evaluation Center (CNITSEC).
The legal power of CNITSEC will include the right (and obligation) to request access to the source codes to any foreign application, program, service or website that are available on the Chinese market. According to the government of China, the reasons for this new measure is to ensure the cyber security and safety of its citizens. The source codes will be searched for any mechanisms which might collect personal data of Chinese users or that could pose some other of virtual privacy threat.
CNITSEC was once linked to a Chinese cyber-espionage group
Recorded Feature, a USA security intelligence company has previously reported that CNITSEC might have been linked to APT3 – an espionage group that numerous hacker attacks on USA and Hong Kong companies. The connection between CNITSEC and APT3 is as follows: CNITSEC works Boysec, a company which was once connected with the hacker organization known as APT3.
Obviously, being able to access the source code of apps and online services of foreign companies would enable the Chinese government to detect software vulnerabilities. According to Recorded Future, this has presumably already happened a while ago. A lot of studies suggest that State Agencies in China are actually behind hacker groups like APT3. Even though this cannot be confirmed for certain, a lot of experts firmly believe this to be the case, making the new law seem that more unfavorable towards foreigners.
Implications
Researchers who have addressed this issue are concerned that this sort of mandatory source code reviewing could lead to the revealing of software vulnerabilities which could be exploited by espionage groups linked to the state agencies responsible for carrying out the audits. This could, in turn, lead to severe problems for foreign companies who heavily rely on the Chinese market or ones that seek to expand their activities towards China. For instance, if detected security flaws in the source code allow for spying and unauthorized data collection, if the collected information gets into the hands of Chinese companies, the latter would have a severe (and unfair) advantage over their foreign opponents.
That said, there’s little to no choice left for the owners of foreign companies as if they refuse to provide CNITSEC with their source code, they would be prohibited from being active on the Chinese market and would thus get pushed out of it.
For now, companies such as Microsoft, IBM and Intel have made attempts to oppose this unfavorable regulation, yet those attempts have been to no avail. More likely than not, giant IT companies such as those mentioned above will have to eventually give in to the Chinese law and provide the government with the demanded details in order to remain on the Chinese market. Alternatively, there’s an example of a big IT firm which declined to comply with certain Chinese regulations and was subsequently pushed out of the country’s market and cyberspace. A couple of years ago, the biggest search engine on the Internet – Google, was blocked in China due to refusal to adhere to a number of censorship regulations.
Broad extent of the Chinese cyber-security law
As pointed out by Recorded Future, the new cyber-security law in China is expressed with broad and vague language allowing for interpretation. Due to this, the government of China would be able to impose the regulations of the law not only on IT companies that sell apps or provide online services but also on other firms such as, for example, fast food delivery companies. Such broadly interpretable laws make it that more difficult for foreign firms to work with the Chinese government and decreases their trust and willingness to provide essential details related to their work such as the source code of their products.
Similar regulations in Russia
A similar law is active in Russia, where source codes are also required by foreign companies and a number of such have already provided theirs to the Russian government. Among the firs who have revealed their source codes are SAP, Cisco and IBM. Basically, the situation is identical as the implications are the same – access to the source code could compromise the cyber-security of the firm as USA officials have warned on a number of occasions.