China cyber law

This is the second in a multi-part series on China cybersecurity. This series stems from the recent webinar at which I discussed cybersecurity in China. To watch that webinar, go here. To read part 1 of this series, go here. Part 1 described the cybersecurity situation in China. This part 2 explains why cryptography is not a solution and then it looks at the Golden Tax Malware Program as an example of CCP malware.

IV. Cryptography is not a solution.

The PRC National People’s Congress enacted the long-awaited Encryption Law (密码法), which came into effect on January 1, 2020. The official text of the law can be found here and an English language summary can be found here.

Cryptography is a key technology that will be used to achieve the goals of the comprehensive cybersecurity program. Normally, cryptography is used to protect the confidentiality of information transmitted and stored on networks. But its use presents the Party with a dilemma: the same cryptography that hides information from the general public can also be used to hide information from the government itself. In this case, the Chinese government is presented with the issue of how it can require cryptography while still maintaining its open access to the network system.

The Law divides encryption into three categories: core, common and commercial. Core and common are intended for systems that transmit and store PRC state secrets. Commercial encryption is intended for business and private use. Foreign encryption systems can be sold in China, if approved and certified through a certification system that has not yet been described. Use of encryption will be subject to the provisions of the Cybersecurity Law and the associated MLPS 2.0 regulations. Article 26. The State Cryptography Administration (SCA), an office of the CCP, will have authority to monitor and inspect implementation and use of the cryptography system.  Article 31.

This three-class system ignores the way cryptography is normally implemented. The most important cryptography systems are not commercial systems. Most systems are based on the Gnu Privacy Guard system. This is a completely open system. The source code is generally available to the public. You can download the source code here. It is not conceivable that the organizations that offer PGP systems will cooperate with the PRC government in obtaining review and certification of their product when the focus of these PGP systems is to allow companies and individuals to hide their information from the government. Cooperation with any government would be contrary to that principle.

This then leads to the first question under the new Law. Most cryptography systems are freely downloadable as open source systems. The PRC government is free to examine the source code used to implement the PGP and related open source systems. The real issue is whether the PRC government will allow companies and persons who operate in China to use PGP and related systems, given that that these systems will NEVER be submitted to the PRC government for review and approval. If the answer is no, then the entire set of provisions for foreign encryption systems is meaningless. If the answer is yes, then the designation “commercial” has no meaning.

This then leads to the most important issue. Cryptography techniques are not secret. The most important algorithms are public and available to anyone to use. Governments know exactly how the algorithms work because governments have been the inventors of most of these algorithms. The Cybersecurity Law ‘s focus on cryptography products is nothing more than a head fake. What is critical in cryptography is not protection of the cryptography algorithm; what is critical is protection of the key that allows decryption of the encrypted message or data.

The Cryptography Law is silent on the issue of decryption and it is also silent on protection of passwords and other keys that prevent decryption. Its ultimate plan is to break all forms of end to end encryption by putting all passwords and decryption keys into the hands of the PRC government and the CCP. In other words, opaque to the public but transparent to the government.

Article 31 of the Cryptography Law provides for a government inspection and control system implemented by the SCA and its local agencies. This system gives the SCA and its local agencies complete access to the cryptography system and to the data protected by that system. The systems are also subject to the MPS supervision and control system that is being implemented under the Cybersecurity Law and the MLPS 2.0 system described here and here. So both the SCA (a CCP office) and the MPS (working with the MSS) will have full access to encrypted servers, including full access to the decryption keys and the passwords. Once this access is achieved, end to end encryption disappears. For a description of how this works, see this.

In the end, inviting foreign providers and users of cryptography is just a trap for the unwary. Once data crosses the Chinese border on a network, 100% of that data will be 100% available to the Chinese government and the CCP. Cryptography may prevent access by the public, but all this data will be an open book to the PRC government.

This then raises major issues for U.S. and other country entities that rely on end to end encryption in China as an exception to U.S. export control rules. Under China’s new system, end to end encryption will no longer exist in China and so this exemption from U.S. export controls will no longer be effective. As the U.S. expands the scope of technology subject to export controls, the risks for foreign companies will become progressively more significant.

Many U.S. entities look at cryptography as their escape from China’s Cybersecurity Law, but that will not work because the PRC government will not let it work. The Chinese government knows exactly what it is doing. The Chinese government has set up a system that will allow it to achieve a fully transparent system.

 

V. A Concrete Example: The Golden Tax Malware Program

The ultimate goal of the Chinese system is for the Party to install malware on computer systems that allows the Party and its agents full access to the system. This malware is normally some form of a remote access trojan (RAT), a malware technology in which the Chinese are world leaders. The Golden Tax malware program provides a concrete example of how this can be done.

The Chinese government and its state-controlled banks have worked hard over the last decade to “digitize” financial reporting and procedures. These days, a business operating in China virtually never needs to visit a Chinese government agency office or a bank. Transactions and reporting are done online.

For normal daily operations, this means the following are done through the Internet:

  1. Day to day banking
  2. Monthly tax reports
  3. Monthly tax and social insurance payments
  4. Issuance of VAT tax receipts
  5. Periodic reports to government agencies
  6. For importers/exporters, reporting to customs

If you try to do this kind of work by visiting Chinese government offices, you will be turned away.

All this appears to be modern and efficient, but this extensive use of the Internet conceals a hidden danger. In all these transactions, Chinese government agencies and the banks require the business make use of software provided by the agency or the bank. No independent software is allowed. This software is usually a package that includes connection software and anti-virus protection. In my experience, these packages are poorly written, buggy, slow and difficult to use. When this software is installed on a business’s central computer, it slows operations to the point of being unusable.

But the real issue runs deeper. As discussed above, the goal of the Chinese government is to make information networks in China closed to outsiders but completely open to the Chinese government. Once on the Internet, the goal of the system is to ensure all information can be accessed by the Chinese government. To state things more bluntly, the Chinese government has become the most active information hacker in China. The software the business is required to install on its systems is being provided to it by a hacker – the CCP. The risks are obvious.

The reality of the risk has recently been exposed by Trustwave, a U.S. based cybersecurity consultant, in its report on a case where malware was included in software required by a Chinese bank for tax payments. See The Golden Tax Department and the Emergence of Golden Spy Malware, subtitled, Trustwave SpiderLabs has discovered a new malware family, dubbed Golden Spy, embedded in tax payment software a Chinese bank requires corporations install to conduct business operations in China. The basic story is typical of China. The bank requires installation of its mandated software created by a private “big data” Chinese company working under contract with the Chinese national tax department. In other words, the mandate requiring use of this spyware comes straight from China’s national government in Beijing.

The software contains a backdoor that takes two actions. First, all data submitted to the bank and all other data on the host computer is transmitted to a server owned by a private Chinese company connected with China’s national tax department. This server is housed on the Alibaba cloud. Second, the software allows the operator of the backdoor complete access to the entire host computer system. Trustwave provides standard advice on best practices for dealing with this type of infection. Their advice to remove the software is, however, simply not practical, since companies are required to use this spyware to do business in China. Their alternative is to install the software on a dedicated laptop insulated from the main company computer system. This approach prevents infection of the main company network system. However, it does not prevent the private data transmitted to the local tax authority from being transmitted to the malware server to be used for undisclosed purposes. It also is not clear how the Chinese government will treat a foreign company that isolates its exposed data to a sole, non-networked computer.

So now we know why all this Chinese government mandated software works so badly. The software is so filled with malware, backdoors and surveillance protocols that normal operation is slowed to the point of making many systems unusable. Those of us who work in China have always assumed this and now the Trustwave report provides a concrete example.

The larger issue is that this forced installation of backdoor malware is a constant issue in China. It is not just the case of one piece of software from one bank. As this case shows, the national government works with government-controlled banks, local governments, private software/big data companies and Chinese based cloud service providers to implement a system that allows total access to all information available on the networks located in China.

It might be possible to implement protections against one single piece of malware, as Trustwave advises. But as a practical matter, it is impossible to implement protection against the constant and pervasive measures the Chinese government takes to access private company data. There are too many points of access. For example, government mandated inspection of company networks allows for installation of similar backdoor malware as part of the inspection process.

The issue is not simply the compromise of the China based system of foreign investors. Once the China system is compromised, the hacker (Chinese government) can almost always then gain access to the entire international network linked to the hacked system. The infection spreads from China around the world. Informatization, big data and full spectrum dominance is the Chinese government’s highest priority. This has important implications for companies operating in China and this reality must be carefully assessed.

The standard response to the tax malware risk from cybersecurity consultants is to claim Western-style cyber security measures can be successfully used to defend against government lead hacking in China. These proposals will not work, and the suggestion they will work creates a false sense of security that actually increases risk. To put it starkly, in China, the government itself is the hacker and it will not allow foreign or domestic technicians to provide services that will defeat the hacker’s ultimate goals.

Let me explain why the normal cybersecurity techniques will not work.

Cybersecurity consultants usually start by explaining how setting up banking operations on a separate laptop can seal the compromised site from the safely protected main site. The use of a dedicated laptop for banking purposes is standard practice in China. I did that in China myself when I had to step in to help run a company there. The reason a separate laptop is required reveals where the problems lie. The Chinese bank software is written so it will only run on a Chinese version of the Windows operating system.

Moreover, it will only run on an outdated, unpatched, unsupported version of Windows — usually an outdated version of Windows 7. The reason is that the malware hidden in the software depends on exploiting various flaws that are endemic in unpatched Windows operating systems. For this reason, anyone using a dual language, patched, supported version of Windows 10 simply cannot make use of the bank provided software. Use of the separate laptop is therefore forced.

In the daily life of a normal business in China, this use of a separate laptop becomes completely impractical. It is important to understand that under the new system I described, the entire financial and regulatory life of a business in China is done over the Internet. For full protection, then, we would need multiple separate laptops: one for each bank, one for the tax department, one for VAT receipts, one for the local government, one for the national government, one for freight forwarders, one for customs, one for the (government controlled) accountant, one for the bookkeeper, and one for the employee benefits service. The list becomes endless. There is thus pressure to combine all these software systems onto one single laptop. This laptop is then used throughout the entire working day. It is not linked to the receiver (let’s say the one bank) and then immediately shut down. It remains linked to someone on the Internet for virtually the entire day.

But wait, it gets worse. Now all of the business’s important data is located on one or more dedicated laptops sealed off from the company’s main system. But to do business, the company needs the data from its laptops to go to its main system. Imagine for just a minute if all your company’s bank information were on one laptop in one office and not a part of your main system. So data from the laptops has to be regularly transmitted to the main system.

Not only must data from the laptop go to the main system at some point for the company to function at all smoothly, but it is also necessary for data from the main system go to the laptop for use of the various systems located on the laptops. Again, just imagine how you will smoothly move only certain financial data from your main system to your laptop every day.

As a practical matter, it is not possible to keep the systems separate and during these required data transfers, your door is opened for malware infection. In the most primitive way, malware is transferred when a thumb drive is used for data transfer. However, many businesses just do the data transfer through some form of Ethernet or wireless link between the various systems. In some cases, companies just give up and shift all their important financial operations to the dedicated laptop, or even to a Chinese Windows desktop.

This is what actually happens on the ground in China, and there is no way to prevent it. Foreign owned companies in China will often install a system based on advice from a foreign cybersecurity expert. They will use patched, updated operating systems, the most modern anti-virus protections, the best cryptography and a sophisticated VPN. This work is all in vain because when a network connection is required, China Telecom or some other Chinese government agency will install the network system. And they will say it is fine for you to use these systems for your personal purposes, but you cannot use these systems for any operations that make use of the Internet in China because China’s rules require the following:

  1. China approved virus software.
  2. China approved cryptography.
  3. A China approved ISP.
  4. A China approved cloud provider.
  5. China approved connection software.
  6. A China approved version of Chinese language Windows that we will provide to you.
  7. Support service provided only by a China approved (and controlled) network consultant.

To top it all off, as discussed above, China’s local authorities have the right to inspect your networked system at any time without notice and this inspection is done without the participation of company staff. During that inspection, your data will be removed using a thumb drive. If the government inspectors want to do it, they can then install the malware through the use of that same thumb drive. Most large network connections in China are done through use of a cloud system. Chinese government authorities have the same rights to inspect the cloud system. In accordance with the rules, the client of the cloud provider will not even know its system has been inspected.

Network systems are provided to businesses in China exclusively through the Chinese government and/or by Chinese government agencies and/or by IT consultants approved and controlled by the government. The Chinese government is the primary hacker in China, with your cyber security being performed by the hacker itself. This goes beyond a simple network connection. The Chinese government provides the landline phone system and the cell phone system. The Chinese government provides the Internet connection. The Chinese government provides the email server. Many Chinese government agencies will not use email; they instead require all contacts be through WeChat, a completely insecure platform constantly monitored by the Chinese government. By using the extreme efforts suggested by the best cybersecurity advisors, a foreign company doing business in China might be able to avoid one of these assaults on its data. But when the attacks come from every direction and are organized by the Chinese government itself and backed up by threat of imprisonment, any defense will ultimately fail.