Nick Shevelyov, Senior Executive Reporter, Cyber Defense Magazine
On February 7, 2024, the US Government Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory titled “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure[1]”. The advisory goes on to describe the Chinese malicious software named “Volt Typhoon” and states “The U.S. authoring agencies have confirmed that Volt Typhoon has compromised the IT environments of multiple critical infrastructure organizations—primarily in Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors—in the continental and non-continental United States and its territories, including Guam”. Our government is telling us we are at risk of a severe cyberattack domestically, this “Typhoon Warning” should also be a wake-up call for US businesses doing business in China.
If your company, vendors, or business partners have operational dependencies in China, your data security is now at an all-time high risk. The threat landscape darkens if you read the Wall Street Journal’s “A China-U.S. Decoupling? You Ain’t Seen Nothing Yet[2]”, “U.S. to Invest Billions to Replace China-Made Cranes at Nation’s Ports – Biden administration fears security threats at hundreds of sites[3]”, “FBI Director Says China Cyberattacks on U.S. Infrastructure Now at Unprecedented Scale[4]”and “China’s Hacker Network: What to Know[5]” you get a sense of the growing geo-political tensions growing between the United States and China.
The U.S. Department of Justice Federal Bureau of Investigation (FBI) publishes a paper titled “Intellectual Property Protection – Safeguard Your Company’s Trade Secrets, Proprietary Information and Research”. In that document it states “If your company has a technological edge, expect your technology, and those with access to it, to be targeted. If your company has developed a process to manufacture an item a less cost than others, that manufacturing process may be targeted. If your company is negotiating with another company or country, the negotiations and negotiation strategy may be targeted.”
Pair that with the FBI’s “PRC Laws Impacting US Business Operations with PRC Enterprises” published February 7th, 2022, which states “With the globalization of business, it is common for US companies to work with those based in foreign countries. However, when engaging in business with China-based companies, US private sector companies should keep in mind there are several People’s Republic of China (PRC) laws which have the potential to restrict, regulate, or manage their actions, including the following:
2021 Personal Information Protection Law. This law mandates US companies, including those processing personal data outside of the borders of the PRC, to locally store all personal information collected and produced. A security review by state authorities is subsequently required for the cross-border transfer of personal information.
Article 35 empowers public and national security officials to obtain data for safeguarding national security or investigating crimes in accordance with PRC law. State authorities are required to preserve the confidentiality of a broad range of information, including commercial secrets.
Article 38 requires non-PRC companies to comply with administrative regulations managing the cross-border provision of PRC personal information and agree to a PRC Government formulated contract on handling the data.
Resource: The China Personal Information Protection Law (PIPL), Deloitte, May 2021
This FBI Outreach and Liaison Tool lists more factors to consider, and readers are encouraged to reach out to their local FBI Private Sector Coordinator for the full analysis.
Adding context that China has a “Marathon” 100-year plan (1949 – 2049) to ascend as the world’s top power, broken down into 5 year “Sprints”, business should take note and re-assess their strategy, considering China’s “Grand Strategy” and designs.
I spent fifteen years as the Chief Security Officer of a global, publicly traded bank, with a joint venture Bank in China. If I were running a business with exposure to this growing Chinese geo-political risk, here are ten questions I would ask myself:
- What types of data do I have? Understand the types of data you possess, including personal data, financial information, and intellectual property. This helps when considering the appropriate security measures and controls that should be in place. A data inventory exercise is critical in “Knowing Thyself”, a foundational principle in any sound cybersecurity program.
- Am I compliant with local data protection laws? China’s Cybersecurity Law and the Personal Information Protection Law (PIPL) set strict rules for data handling and protection. Ensure your business complies with these regulations. Small business disputes can result in your executives not being allowed to leave China[6].
- Where is my PII data stored? Consider the physical and virtual locations of your data storage. Data stored within China is subject to Chinese law, and there are restrictions on transferring certain types of data overseas. The time is now to determine whether your data location storage strategy makes sense considering increasing risks of government intervention and theft.
- Who has access to my data? Review access controls regularly to ensure only authorized personnel can access sensitive data. Implement least privilege access principles. Review these on a regular basis.
- How do I protect data during transmission? Data in transit can be vulnerable to interception. Encrypt sensitive data before transferring it over public networks.
- What are my data backup and recovery plans? Ensure you have robust data backup and recovery procedures in place to recover from data loss or cyberattacks swiftly. The ability to recover your data, in a time aligning with your Business Impact Assessment’s Recovery Time Objectives and Recovery Point Objectives, is key. Ensure you have business level User Acceptance Testing defined and tested.
- Am I monitoring and detecting threats effectively? Continuous monitoring for suspicious activities and potential breaches is critical. Implement advanced threat detection systems and establish a security operations center (SOC) if possible.
- How do I manage third-party risks? If you share data with third parties or use third-party services, assess their security practices, and ensure they meet your security standards.
- What is my incident response plan? Have a clear plan for responding to data breaches or cyberattacks, including notification procedures, especially considering China’s strict requirements on reporting certain types of incidents.
- How do I educate my employees about data security? Regular training and awareness programs can help mitigate risks associated with human error. Ensure your staff understands the importance of data security and knows how to protect sensitive information. The National Association of Corporate Directors (NACD) publishes a technology risk guidance report, use that to educate yourself and your board.
CISA’s recent Volt Typhoon warning is just one example of increasing cybersecurity risks we face both domestically, and abroad. We have all heard it before, if you fail to plan, you plan to fail. Navigating this increasingly treacherous risk is like navigating your ship through a typhoon. Monitoring the ever-changing cybersecurity risk landscape is table stakes for business today. Forewarned is forearmed. Use these news alerts, FBI guidance and ten cybersecurity questions to make more informed and risk aware decisions for your organization.
About the Author:
Nick Shevelyov is a Senior Executive Reporter for Cyber Defense Magazine. He founded vCSO.ai, a cybersecurity and data privacy Advisory and Consulting firm helping companies enhance their risk strategies and product companies improve their go-to-market storytelling and channel development. He is the former Chief Security Officer (2007 – 2021) at Silicon Valley Bank, the bank of the innovation economy. He is the author of “Cyber War…and Peace”, has been published various periodicals, sits on the Board of Directors of the Bay Area CSO Council, and advises several Venture Capital and Private Equity firms. He can be reached for breaking stories at [email protected].
Sources:
[1] https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
[2] https://www.wsj.com/economy/trade/a-china-u-s-decoupling-you-aint-seen-nothing-yet-12c0828e
[3] https://www.wsj.com/politics/national-security/u-s-to-invest-billions-to-replace-china-made-cranes-at-nations-ports-d451ef8f
[4] https://www.wsj.com/politics/national-security/fbi-director-says-china-cyberattacks-on-u-s-infrastructure-now-at-unprecedented-scale-c8de5983
[5] https://www.nytimes.com/2024/02/22/business/china-hack-leak-isoon.html
[6] https://www.wsj.com/world/china/chinese-exit-bans-business-c38cb10c