Chinese Cybersecurity Regulations & The National Security Risks Being Exploited By China.

Oct 09, 2022

Donald Trump hit China with sanctions in 2018. China’s “full spectrum war” revenge was multifaceted and not restricted to just monetary domains but also executed in part by retaliating in the cybersecurity world—looking for exploits in how data is exchanged, processed, stored, and regulated.

The Chinese government has issued close to 300 new national standards related to cybersecurity over the past several years. These standards cover products ranging from software to routers, switches, and firewalls—and are structured to benefit China in many ways preferentially.

These regulations are not widely known to many in the US. China’s long-term implications could entirely alter the trajectory of The United States. These new regulations pressure US-based companies to comply with regulations they may be largely unaware of—meanwhile, Chinese-based companies are given access to operate freely. This is one means by which China exacts revenge on the United States through cybersecurity regulations.

As of September 1, 2021, the new China Data Security Law drastically changed how data is transmitted and received by any entity entering and operating in Chinese Cyberspace. According to Article 31 of the Data Security law, the cross-border transfer of data collected and generated by critical information infrastructure (CII) operators within China shall be governed by the Cybersecurity Law. Data collected and generated by CII are bound to be stored within the territory of China.

Article 31 reserves China the right to a “spot check” when data is transferred overseas.

So, what is CII?

Critical Information Infrastructures refer to infrastructure in essential industries and sectors, such as public communications, information service, energy, transport, water conservancy, finance, public service, e-government, and other critical information infrastructure that – once damaged, disabled, or data disclosed – may severely threaten the national security, national economy, people’s livelihood, and public interests (according to Article 37 of the Cybersecurity Law)

Any entity that falls within the scope of being classified as “CII” has to operate according to Chinese Cybersecurity Laws and submit to these new regulations, which are unknown to entities sending data to China. Nations and Companies are entering China completely blindfolded, having no knowledge of what is required of them not to be labeled as CII to be investigated.

The Multi-Level Protection Scheme (MLPS) is a rating system for which the China Government can determine a threat. The criteria for each rating are entirely dependent on China.

Networks that do not affect national security, social order, and public interests are usually classified as Level 1. In contrast, networks that may affect social order and public interest are classified as Level 2 or above. Systems or applications with higher degrees of impact are more likely to be classified as Level 3 or even Level 4. Level 5 is usually reserved for state-owned military systems.

Levels 3 and above are marked as CII.

However, the criteria determining whether data is considered CII is unknown to entities, and they are left clueless regarding how to comply with China’s new regulations. China can even write new laws on a case per case basis due to the vagueness of the rules. This gives Chinese-based companies a tremendous advantage while targeting US-based companies’ data using any new regulation China decides to use. The Cybersecurity Review Regime (CRR) determines and assesses threat levels. The CRR is what is referred to as a “black box.”

Corporate entities have no information on how to comply with Chinese Law because their new laws and regulations are entirely unknown to any entity utilizing Chinese cyberspace.

“Foreign firms” can be classified as “any company or country that isn’t China.”

China can target companies whose products capture and use Personally Identifiable Information (PII) without these companies knowing how to prepare to enter Chinese Cyberspace, according to the People’s Republic of China. At the same time, China legally reserves the right to mark anything they see as CII for the data to be spot checked. What is most concerning is that under China’s security Law, any dataset deemed “CII” must go through a black box review where China will store specific data inside mainland China to subject the data to security review.

So not only are US entities unaware of Laws governing the space a company’s datasets are entering in China but they are also being stored on mainland Chinese Databases to be searched at the discretion of the CCP regime. Remember, regulations can be adjusted case-by-case since they operate behind the “black box” determined by unknown criteria.

The term “black box” means that China can hide the criteria for compliance with some new regulations. If data is flagged as CII, then it would be transferred to a “black box” where the data would undergo security procedures inside mainland China. This is the perfect opportunity for China to extract or copy data, including PII data or Personally Identifiable Information (names, phone numbers, addresses, DOB, social security or passport numbers, etc.)

The real question is, “why is China being allowed access to PII data in the first place?”

As if this couldn’t get any worse, the standard grants the FAC and sector regulators authority to initiate their audits when “deemed necessary.”

“There is no consensus among government decision-makers on defining “important data.”

Let’s take a look at the phrase “deemed necessary.”

According to The National Intelligence Law of the P.R.C., Article 11 states, “National intelligence work institutions shall lawfully collect and handle intelligence related to foreign institutions, organizations or individuals carrying out, directing or funding foreign or domestic institutions, organizations, or individuals colluding to carry out, conduct endangering the national security and interests of the People's Republic of China; to provide intelligence references and bases for preventing, stopping, and punishing the above conduct.”

According to The Data Security Law of the People's Republic of China, Article 2 shows that when National Security is involved in the equation, the “Law shall apply to data processing activities and security supervision and regulation of such activities within the territory of the People’s Republic of China.”

China possesses the ability to create regulations that hide behind a “black box” where they can mark ANY data as CII (Critical Information Infrastructure) via CRR (Cybersecurity Review Regime), determining the MLPS level (Multi-Level Protection Scheme.) With an MLPS level above 3, the data is subject to being offloaded onto a mainland Chinese server to be inspected, data that very well could contain personal information and even source codes, as stated below.

China has the right to demand a source code for any entity with an MLPS score above 3 (without knowing how each entity is rated); meanwhile, Chinese-based companies can operate “invisible” using censorship of digital content.

You read that correctly; Chinese-based companies can operate invisibly in China’s cyberspace. Meanwhile, the United States data is being rummaged through.

China requires source codes when a Level 3 or above company outsources software development.

With most of the new regulations China has imposed in draft form, China can target any entity containing any information by editing a regulation to mark an entity’s data as CII. Once labeled, the data is loaded onto Mainland China behind the “black box.”

A good analogy to describe what China is doing to American data would be like driving on the road without a speed limit being shown. Ultimately, you get pulled over, and the officer says you were speeding even though you may have been doing 25 mph. The Chinese Government has the right to state the speed limit is 20 mph. Instead of writing you a ticket, you are pulled from the car, and a tow truck takes your car to an impound where it can be searched.

According to the PRC, once the data (or, in the analogy above, your vehicle) is taken to the “black box” in Mainland China, it is now their data. The Government may search the data, replicate it, replace it, or install spyware and viruses into systems.

Since most of these regulations the Chinese Government is imposing are still in draft form, the following “vehicle” traveling on that road may be pulled over for going 15 mph. In contrast, the Chinese Government may say the speed limit is ten mph, and now your data is subject to search. The CCP is making up its own rules as they go, and no one gets to know what those rules are.

Beyond even targeting American entities, some Organizations have close ties to China and even operate according to PRC Law despite being American companies. These companies must know that the People’s Republic of China will inspect the data and facilitate this practice. Some companies control critical infrastructures in the United States, like our Election Systems and our Healthcare Systems. This puts Personally Identifiable Information directly in the hands of the CCP while the data is in transit.

China owns any data that lands on its servers.

We must ask ourselves, why are American companies obeying Chinese laws and disregarding American rules? How many companies in the US are conducting business with China? What information may the Chinese Government have on you and your family?

It is time we become more aware of the companies we consent to share our information with, especially with phone apps that our children use.

Now that we understand how the Chinese Government handles data traveling through China’s cyberspace, I want to leave you with the following thoughts.

On October 4th, President of Eugene Yu of Konnech was arrested for “Data Theft.”

My question is, since it has been established that Konnech is outsourcing its coding to Chinese developers wouldn’t ANY data be subject to the Chinese Government to sift through, not just the PII of Election Workers if determined to be CII?

Would this include anyone involved with Konnech on any level?

Would the CCP be interested in marking Konnech’s Election Management Software as CII to justify parking US Election related data on a Chinese Server?

Why would a foreign adversary like China want any United States Election data? (This is an easy one.)

Is it possible that Chinese Engineers could steal American Technologies and Patents?

Does this implicate or expose the data of our Elected Officials?

What about County level employees?

If Konnech is installed into a County’s System, would an API connect ALL data of a county’s system be subjected to be searched if marked as CII when transferred?

Could Konnech’s source code be stored on a database in China?

If Konnech’s source code is or was stored on a database in China, would China own the EMS systems deployed by Konnech in US Elections?

Products like AbVote allow overseas and uniformed voters access to remote voting. Is it possible that any data passing through Chinese cyberspace could be seized and searched by the Chinese Government if marked as CII?

What other vulnerabilities exist?

We could list a few hundred concerns, but you have the idea.

This is a matter of National Security.

It is time to ask the tough questions since the FBI does not want to do their jobs. Konnech has implemented many products in our Election System and children’s school systems. Our data is not safe. It is time to call our elected officials to start asking questions and DEMANDING answers — no more run-around responses.

It is time to govern the institutions that govern us.

Thank you for reading and supporting my work. Please share this information with your friends and family as it directly pertains to them.

A Special thank you to @CognitiveCarbon for helping me with the terminology of this article. Please subscribe to his substack as well!

The Authority

Discussion about this post