China government hacking/data privacy

The Chinese government and its state controlled banks have worked hard over the last decade to “digitize” financial reporting and procedures. These days, a business operating in China virtually never needs to visit a Chinese government agency office or a bank. Transactions and reporting are done online.

For normal daily operations, this means all of the following are done through the Internet:

  1. Day to day banking
  2. Monthly tax reports
  3. Monthly tax and social insurance payments
  4. Issuance of VAT tax receipts
  5. Periodic reports to government agencies
  6. For importers/exporters, reporting to customs

If you try to do this kind of work through the old fashioned method of personal visits to the various Chinese government offices, you will be turned away.

All this appears to be modern and efficient. But this extensive use of the Internet conceals a hidden danger. In all these transactions, Chinese government agencies and the banks require the business make use of software provided by the agency or the bank. No independent software is allowed. This software is usually a package that includes connection software and anti-virus protection. In my experience, these packages are poorly written, buggy, slow and difficult to use. When installed on many businesses’ central computer, they slow operations to the point of being unusable.

But the real issue runs deeper. As I have discussed in earlier posts, the goal of the Chinese government is to make information networks in China closed to outsiders but completely open to the Chinese government. See China’s New Cybersecurity Program: NO Place to Hide and China’s New Cybersecurity System: There is NO Place to Hide. As I said in both of these posts, there is no place to hide. Once on the Internet, the information will be accessed by the Chinese government. To state the matter more clearly, the Chinese government has become the most active information hacker in China. So when a business installs the required software on its systems, this software is being provided by a hacker. The risks are obvious. In response to these two posts, many of our readers “suggested” we not be “so negative” about this hacking because “some of us still need to do business in China,” but nobody has  questioned our conclusion regarding the risks.

The reality of the risk has recently been exposed by Trustwave, a U.S. based cybersecurity consultant, in its report on a case where malware was included in software required by a Chinese bank for payment of taxes. See The Golden Tax Department and the Emergence of GoldenSpy Malware, subtitled, Trustwave SpiderLabs has discovered a new malware family, dubbed GoldenSpy, embedded in tax payment software a Chinese bank requires corporations to install to conduct business operations in China. The basic story is typical of China. The bank requires installation of its mandated software created by a private “big data” Chinese company working under contract with the Chinese national tax department. In other words, the mandate requiring the use of this spyware comes straight from China’s national government in Beijing.

The software contains a backdoor that takes two actions. First, all data submitted to the bank and all other data on the host computer is transmitted to a server owned by a private Chinese company connected with China’s national tax department. This server is housed on the AliBaba cloud. Second, the software allows the operator of the backdoor complete access to the entire host computer system. Trustwave provides standard advice on best practices for dealing with this type of infection. Their advice to remove the software is, however, simply not practical, since companies are required to use this spyware to do business in China. Their alternative is to install the software on a dedicated laptop that is fully insulated from the main company computer system. This approach prevents infection of the main company network system. However, it does not prevent the private data transmitted to the local tax authority from being transmitted to the malware server to be used for undisclosed purposes. It also is not clear how the Chinese government will treat a foreign company that isolates its exposed data to a sole, non-networked computer.

So now we know why all this Chinese government mandated software works so badly. The software is so filled with malware, backdoors and surveillance protocols that normal operation is slowed to the point of making many systems unusable. Those of us who work in China have always assumed this and now the Trustware report provides a concrete example.

The larger issue is that this forced installation of backdoor malware is a constant issue in China. It is not just the case of one piece of software from one bank. As this case shows, the national government works with government controlled banks, local governments, private software/big data companies and Chinese based cloud service providers to implement a system that allows total access to all information available on the networks located in China.

It might be possible to implement protections against one single piece of malware, as Trustware advises. But as a practical matter, it is impossible to implement protection against the constant and pervasive measures the Chinese government takes to access private company data. There are too many points of access. For example, government mandated inspection of company networks allows for installation of similar backdoor malware as part of the inspection process.

The issue is not simply the compromise of the China based system of foreign investors. Once the China system is compromised, the hacker (Chinese government) can almost always then gain access to the entire international network linked to the hacked system. The infection spreads from China around the world. Informatization, big data and full spectrum dominance is the Chinese government’s highest priority. If you operate within China’s borders, there is no place to hide. This has important implications for companies operating in China and this reality must be carefully assessed.