Beijing’s New Data Security Law Poses Risk to Foreign Firms: Analysts

By Frank Yue
Frank Yue
Frank Yue
Frank Yue is a Canada-based journalist for The Epoch Times who covers China-related news. He also holds an M.A. in English language and literature from Tianjin Foreign Studies University, China.
September 17, 2021 Updated: September 17, 2021

News Analysis

Foreign firms in China are now required to report network vulnerabilities to authorities under a new data security law. Analysts say this will help hackers working for the Chinese Communist Party’s (CCP) with conducting cyber attacks for the regime.

The law was officially put into practice on Sept. 1, aimed at data surveillance in major sectors. According to Article 29 of the law, international companies within China must report their data security incidents immediately to both authorities and users once they are identified.

On the same day, a Chinese bylaw took effect on the management of network product security vulnerabilities. The rules require service providers to report details to authorities within two days, while foreign organizations and individuals are banned from access.

Analysts said this is a way for the CCP to effectively weaponize cyber vulnerabilities.

System flaws that developers are unaware of are called zero-day vulnerabilities. Wang Donglin, a former tech director in a Chinese internet firm, described how those types of vulnerabilities can be exploited.

“Given the despotic nature of the Chinese communist regime, it would most likely turn those vulnerabilities into weapons to attack other nations once they fall into its hands,” Wang told The Epoch Times.

He said cyber security flaws exist in numerous businesses or organizations. Undiscovered zero-day vulnerabilities can be used by hackers for profiteering. In China, it is called an “underground industry,” according to Wang.

With the data security law requiring vulnerabilities to be reported to the CCP, including the zero-day type, obtaining resources could be a “no-brainer” for the CCP’s hackers, Wang said. He added that the most likely target in the potential first wave of cyber attacks would be a large number of cloud-service hosts.

Puma Shen, an assistant professor at Graduate School of Criminology of National Taipei University, told The Epoch Times that risks would not decline with the import of the law.

“The regime now has found a good excuse for its doings—in the name of protecting cyber security and privacy,” Shen said. “But a government has no capability of solving vulnerabilities.”

Generally, businesses are not required to officially report attacks unless they are service providers for governments. With such resources available, the CCP’s Department of Public Security could indeed launch cyber attacks with the help of its hackers, Shen said.

Internet observer Gu He said the CCP is using the new law to make gathering information from domestic and foreign firms legal.

“In other countries, zero-day vulnerabilities are managed by businesses themselves, not by state powers,” he said. He questioned how a government could manage them, or what right it has to intervene in corporate freedom.

Those most interested in such vulnerabilities are none other than global hackers, Gu noted, also saying hackers could use these vulnerabilities for profit. For the CCP, its goal is different: stealing secrets, Gu said.

Gu believes the new law can have a huge impact on transnational companies in China.

Luo Ya and Li Yun contributed to this report. 

Frank Yue
Frank Yue
Frank Yue is a Canada-based journalist for The Epoch Times who covers China-related news. He also holds an M.A. in English language and literature from Tianjin Foreign Studies University, China.