security

Bay Area Voice: U.S. tech firms must rethink their relationships with China – Marin Independent Journal


HAYWARD, CA – JULY 20: First grade teacher Lori Suydam types on her keyboard during an online class session with 14 students at Park Elementary School on Monday, July 20, 2020, in Hayward, Calif. (Aric Crabb/Bay Area News Group)

Microsoft’s disclosure over the summer of a Chinese espionage campaign that used forged credentials to break into U.S. government agencies and businesses is a reminder that China has sophisticated cyber capabilities and is willing to use them. But this is more than just having a product with vulnerable code.

If companies have business operations in China — as many of America’s largest and most influential tech companies do — they may be unwitting accomplices to China’s surveillance operations, according to a new report published by the American Security Project. Yet this remains absent from discussions of risk in many technology firms’ public financial statements.

It is a curious omission, because the risks are high: Chinese law requires that companies located there provide the Chinese Communist Party’s security services with access to source code and other sensitive data if demanded. Chinese law also requires that security researchers — including those working for tech companies — share vulnerabilities in computer code with the government first.

Ten years ago, then-National Security Agency contractor Edward Snowden leaked classified documents purporting to show that American tech companies were required under U.S. law to furnish information about foreigners to the U.S. intelligence community. In the painful aftermath of the leaks, American tech companies faced such grave reputational harm that many of them reported the risks as material in their financial disclosures. They also fought hard for — and won — the right to be more transparent with their customers and the broader public about how often the U.S. intelligence community required them to cooperate. If U.S. surveillance posed such a grave risk to the business fortunes of American tech companies, surely China’s must as well.

Readers Also Like:  Plan for the future with Microsoft Security - microsoft.com

To be sure, there is a world of difference between the American legal framework for intelligence operations and China’s. Ours is embedded in a democracy, with limits prescribed by law and subject to layers of oversight by all three branches of government. We openly debate the contours of this framework, as Congress is doing now with respect to the surveillance authorities authorized by the Foreign Intelligence Surveillance Act. China gives security services carte blanche to pursue their investigations and operations, with no known limits.

The risks of Chinese cyber operations do not stop at a company’s financial bottom line. The Office of the Director of National Intelligence has warned that “China almost certainly is capable of launching cyber-attacks that could disrupt critical infrastructure services” in the United States, including rail systems and oil and gas pipelines. Here in California, for example, a Chinese cyber-espionage campaign targeted the Metropolitan Water District of Southern California, which provides water to 19 million Californians.

Now, it is true that many U.S. tech companies’ relations with China are complex. China is a huge market with a long history of making foreign companies build a business footprint in the country in order to sell there.

It also has an enormously talented tech workforce that tech companies want to tap into by basing some of their operations in China. When it comes to espionage, however, those China-based organizations ultimately answer to the Chinese Communist Party, not American tech giants’ management.



READ SOURCE

This website uses cookies. By continuing to use this site, you accept our use of cookies.