On Tuesday, the Department of Homeland Security (DHS) warned U.S. companies to avoid Chinese hardware and software as new laws in China influence domestic firms to covertly access data of their U.S. partners.
In a press release, the DHS said, “The PRC [People’s Republic of China] presents a grave threat to the data security of the U.S. government and U.S. businesses. It has both the intent and ability to covertly access data directly through entities under the influence or jurisdiction of PRC laws, often without the knowledge or consent of the non-PRC businesses or institutions that maintain rights to the data.”
The DHS said the PRC government enacted new laws that compel PRC businesses and citizens to share the data of their U.S. business partners with government authorities. Those laws reportedly require Chinese companies to store data within China and to turn over their data to PRC government authorities, under the scope of national security.
“These risks result from direct actions of the Chinese Communist Party (CCP) and from PRC laws that coerce PRC firms into providing data and relevant information to the Chinese government,” the DHS advisory states.
In an accompanying advisory, the DHS recommended U.S. firms working with Chinese firms or transacting business in China to scrutinize its data sharing practices and avoid using their hardware or data services to store sensitive information.
The DHS said “businesses expose themselves and their customers to heightened risk when they share sensitive data with firms located in the PRC, or use equipment and software developed by firms with an ownership nexus in the PRC, as well as with firms that have PRC citizens in key leadership and security-focused roles.”
Simply by transacting business with a Chinese firm, or a firm that has Chinese citizens in its leadership, the DHS said U.S. businesses are at a heightened risk of having their data stolen.
The DHS advisory recommends any U.S. business that operates in China with PRC firms or entities should “scrutinize any business relationship that provides access to data—whether business confidential, trade secrets, customer personally identifiable information (PII), or other sensitive information” and “minimize the amount of at-risk data being stored and used in the PRC or in places accessible by PRC authorities.”
For their most sensitive data, the DHS recommends U.S. businesses should seek out “trustworthy” alternative service and equipment providers to those being offered by Chinese firms. U.S. businesses should also “remain alert when conducting business in China” and IT operators should “ensure proper segmentation of their network infrastructure from any external software use.”
The DHS also recommends U.S. businesses operating in China should prepare protocols in advance, in the event they have to respond to Chinese authorities’ demands for their sensitive information.
The DHS press release states, “Any person or entity that chooses to procure data services and equipment from PRC-linked firms, or store data on software or equipment developed by such firms, should be aware of the economic, reputational, and, in certain instances, legal, risks associated with doing business with these firms.”