Government

DHS warns US businesses of China’s data-collection practices

The advisory is an acknowledgement that China’s alleged theft of intellectual property is still a rampant problem for U.S. officials.

By Sean Lyngaas

December 23, 2020

Acting Homeland Security Secretary Chad Wolf, then the Homeland Security acting secretary, testifying before a Senate panel in August (Flickr/Department of Homeland Security)

As Washington is absorbed with the fallout of a suspected Russian hacking operation against U.S. organizations, the Department of Homeland Security is warning American companies not to be complacent when it comes to cyberthreats from China.

A 15-page “business advisory” released Tuesday by DHS cautions that Chinese intelligence services could collect and exploit data held by U.S. firms doing business in China, highlighting longstanding concerns from U.S. officials. Beijing has denied allegations of economic espionage.

The advisory is an acknowledgement that, despite efforts by both the Trump and Obama administrations to curb China’s alleged theft of intellectual property, it is still a rampant problem for U.S. officials. It comes after the top U.S. counterintelligence official said this month that China had increased its influence operations targeting incoming Biden administration personnel and their associates.

Chinese law requires Chinese businesses and citizens, including in academia, to “take actions related to the collection, transmission and storage of data that runs counter to principles of U.S. and international law and policy,” DHS said in a press release. The department urged U.S. firms to “minimize the amount of at-risk data being stored and used” in China, or in places accessible to Chinese authorities.

U.S intelligence officials routinely list Russia and China as the top two U.S. adversaries in cyberspace. Russia is currently grabbing the headlines through an alleged espionage operation that has compromised unclassified computer networks at multiple federal agencies.

But hacking and counterintelligence threats from China are still a top concern, particularly in the long term, among U.S. officials and private analysts. And American firms are drawing greater scrutiny for the role they play in such security concerns. A senior executive at Airbnb resigned from the company last year over concerns of how the rental service shared data on millions of its users with Chinese officials, the Wall Street Journal reported in November.

Many U.S. officials and private-sector analysts fear that Beijing has already collected reams of data on Americans for intelligence operations that could threaten U.S. national security for years to come. Between the breaches of the Office of Personnel Management, credit monitoring giant Equifax and health care provider Anthem — all of which U.S. officials have linked to Chinese nationals— there is a trove of sensitive data to exploit. (China has denied involvement in those data heists.) Navigating that counterintelligence threat will be a test for the incoming Biden administration.

And while the center of the alleged Russian hacking operation involves a “backdoor,” or tampered software for persistence access, the DHS advisory warns that Chinese spies have ample opportunity to create backdoors of their own.

Chinese law could allow Beijing to install backdoors in technology, creating “security flaws [that are] easily exploitable by PRC entities,” DHS said.