In a recent series on China Law Blog, Steve Dickinson describes the practical espionage from the Chinese government applied to everyone in China. It’s a scary picture for those living in the West and corroborated by many other accounts. The government even requires access to visitor’s devices and on systems connected to many Chinese businesses and banks.
China’s approach to secrecy (you don’t get any) is well-documented. They have stolen secrets from many non-China companies over the last 20 years, and will likely continue to do so for the foreseeable future. As Steve describes, it’s not subtle.
In a previous response, I described some easy ways to isolate the Chinese data and operations. It assumes that Chinese government intelligence will have unrestricted access to any device or system in China or with Chinese software installed on it.
The specifics of those strategies addressed a use I heard in the first article: a US company with mostly non-China operations needs to regularly communicate with a Chinese business. In this case, a US employee would push the information relevant to the Chinese business into an isolated computer running their software, then perform the necessary operations out of the isolated computer. Chinese intelligence has access to everything at the Chinese business and the non-China company’s secrets on the isolated computer, but not every secret in the non-China company.
In Steve’s second article, he describes several scenarios with deeper integration and more points of connection to China than the original. He lists other points of integration that companies doing business in China may need:
Local government affairs
National government affairs
Employee benefits services
While the specifics may look different, the basic strategy of business data isolation I laid out in the first response still works for companies with greater integrations to China, up to and including companies with substantial operations there. The cost of implementing it will naturally scale with the complexity and size of the company’s dependence on China. For companies that do not want to share all their secrets with China, consider this isolation a natural cost of doing business with China.
These costs will not scale perfectly with the amount of business done with China and will contain hidden costs from labor and rework.
Most importantly, this isolation strategy does not account for the basic negotiation of secrecy with the Chinese government or its representative via a Chinese business partner. They want all your secrets. You may not want to give them your secrets. Where to install their virus is a proxy for this negotiation, equivalent to a contractual clause saying that the PRC can see and modify any information you own. As Steve says, China may try to make your Chinese operations difficult if you maintain the right to keep secrets from it. Recognize this pressure for what it is: a negotiating tactic. It is a natural cost of doing business in a country where the rule of law is weaker.
Assume China spies can get full access to any system and its resident data if:
A Chinese worker or employee can access it
It is located in China
It runs Chinese-developed software
A system accessible to China spies can access it.
Sometimes systems and data can be substantially protected even within one of these scenarios, but it requires more work to set up and maintain. It is usually simpler and more foolproof to isolate systems by design.
This threat does not assume that your Chinese employees are somehow less trustworthy than non-China employees. Rather, if the Chinese government asks them to do something (such as give them their password and laptop), they will usually do it. Likewise, even if you perform deep analysis on Chinese software and find no embedded virus, there is no guarantee that future updates will not contain one. You would have to redo that analysis every time new software was required, and even then have no confidence of success: viruses are hard to find in large software packages.
What does work
I will not proscribe a standard recommendation for all businesses doing business with China. China applies different amounts of pressure to businesses based on the value of their secrets and the cost for them to apply that pressure. As China Law Blog points out in other articles, their treatment of foreign companies will vary as economic and legal conditions change and is changing rapidly now. Your decision to withhold or share secrets with China depends on the value of your business with them and the value of your secrets.
For those that do business with China, want to keep secrets, and find those costs acceptable, I’ll describe three scenarios of increasing integration with China and ways to most efficiently isolate their access. These are examples only and are intended to educate about possible options available to you and your business. Many businesses should tweak them to fit. If you’d like help developing your plan, please contact me.
Employees may also need to visit China business partners several times a year.
When employees visit China, provide them with limited devices that permit them to achieve the purpose of their China trip. Any information or capabilities they use while in China will also be available to Chinese intelligence. To enable continued communication while on their trip, use a separate email account, with a forwarding rule set on their main account. The rule should forward only emails from Chinese business partners and affiliates relevant to the trip.
This business may have several business partners in China, needing to perform transactions or exchange standard data with those partners up to several times per day.
Run subsidiaries as separate businesses with independent systems. To perform transactions and send data, create a cloud-hosted desktop and install the China-mandated programs, a fileshare server program, and whatever software is needed for these to run. Connect your main data systems to the sftp server on the cloud-hosted desktop. Provide your operations staff with access to the desktop, and train them to use the cloud desktop and the main data systems to safely exchange data with the China partners.
This business has substantial operations in China, with many China and non-China employees daily collaborating on work. Examples include:
A company with manufacturing in China and non-China countries, with final product depending on tightly managed inventory and the supply chain. Each plant needs perfect and up-to-date inventory information about other plants.
A global financial services company with branches and staff in China serving Chinese customers. These customers do many transactions with non-China businesses.
At some point, it is not tenable to run your China operations as isolated subsidiaries because you will spend too much time and effort syncing their work and transactions with other parts of your business. At this point, your isolation strategy changes. Likely, your China operations will also have enough insight into the other parts of your business because they are involved in executing global strategies. At this point, there is little worth in keeping the bulk of your information secret from China intelligence, as much of it is already known to Chinese employees. At this point, you should adopt an opposite strategy from the Limited scenario: Provide your China employees with direct access to the primary systems and data as other employees. While systems located in China (red items below) are slightly easier than systems hosted outside of China (purple) for Chinese intelligence to break into, it’s not a big difference. Assume they have access to both systems.
Decide which information at your company needs to be kept secret, then isolate it (blue).
In this situation, it is important to keep separate the system containing China worker account and access from non-China accounts and access. These identity systems are used to govern who can get to which information and capabilities, so workers and systems in China should never connect or use the non-China identity system. Systems can be easily configured to use multiple identity systems when deciding access, so the global systems can point at both.
For stronger security, isolate your secret-containing systems (blue) to have strict one-way connections to common systems (purple).
Or...go for the gold
In a traditional isolation model like the one just described, systems and information are grouped together by value or risk and connected together, with an assumption that communications between these systems is trusted. This design is often compared to a castle, with the valuable things inside, and its security defined by the strength of its walls and the skill of the guard gates at inspecting all the cars going in and out. This is the model Steve assumes when he says “China can get into your network,” with the implication that once in your network (behind your walls), China can get anywhere and do anything.
Companies are gradually moving away from this design because it’s hard to make sure everything going in and out of the gates is safe or valid. The zero-trust model abandons this castle concept and instead equips each system with its own set of walls. Each system’s walls are built out of a common set of blueprints. This is more of an armored-car-with-gps model: each piece is independently protected, and each car’s route is known. If a car deviates from its route or gets taken over by baddies, it is more easily fixed without threat to the valuables in the other armored cars. Google invented and popularized it and it has gotten wildly popular. If you're building something fresh, this approach is not more expensive than a traditional model, and provides much more security.
If you'd like help protecting your secrets from China, let's talk.