Chinese spying: the ongoing saga

Edit: see a second response here addressing more specific scenarios.

One of the most popular security topics in mainstream news is state-sponsored hacking.  North Korea, China, the United States, and Russia all put a lot of money and focus into breaking into things for various purposes.  Many other countries are developing similar programs.   

There are a couple of good lessons for the small and medium business owner: if you get defrauded or pay a ransom, there's a good chance you're helping North Korea build nukes.  If your granny's home router doesn't get regular patches, it may be used by Russia to shut down sites it doesn't like.  However, if you only consider the security impact on your immediate business goals, state-sponsored cyberattacks aren't your biggest concern, and you'll get way more mileage out of general security improvements than hearing the latest about Fancy Bears.  

A recent article on China Law Blog expounded on China's cybersecurity strategy to spy on everything and everyone.  The article describes proprietary apps published by Chinese banks (original sourced from Trustwave): 

 [Spyware is] embedded in tax payment software a Chinese bank requires corporations to install to conduct business operations in China. The basic story is typical of China. The bank requires installation of its mandated software created by a private “big data” Chinese company working under contract with the Chinese national tax department.  

...

The software contains a backdoor that takes two actions. First, all data submitted to the bank and all other data on the host computer is transmitted to a server owned by a private Chinese company connected with China’s national tax department. This server is housed on the AliBaba cloud. Second, the software allows the operator of the backdoor complete access to the entire host computer system

In a couple of ways, the rhetoric is fair: China's state-sponsored cyber operations groups have shown dedication and planning in getting all the secrets they possibly can - this is no accident.  Tik Tok is another recent example, and other writers have documented China's growing surveillance capability for decades.  

China's cyber-intelligence also has demonstrated its willingness to pass stolen secrets to Chinese companies.  Sometimes this is a national effort, sometimes it's just low-grade corruption.  

The big miss

Where the article gets confused is in the rejection of Trustwave's recommendation:

Their alternative is to install the software on a dedicated laptop that is fully insulated from the main company computer system. This approach prevents infection of the main company network system. However, it does not prevent the private data transmitted to the local tax authority from being transmitted to the malware server to be used for undisclosed purposes. It also is not clear how the Chinese government will treat a foreign company that isolates its exposed data to a sole, non-networked computer.

...

It might be possible to implement protections against one single piece of malware, as Trustware advises. But as a practical matter, it is impossible to implement protection against the constant and pervasive measures the Chinese government takes to access private company data. There are too many points of access. For example, government mandated inspection of company networks allows for installation of similar backdoor malware as part of the inspection process.

Trustwave's suggestion is not unique: isolating systems and capabilities has been a core tenet of security since the 70s.  It works great, too, and it is clear how the Chinese government will treat you if you do this: they will never bother you.  Any halfway decent big company (including those in China) do this consistently for all their data.  

If you do it right, it isn't a problem that the Chinese government can see the data on this special laptop.  Consider:

segmentation between systems to protect access

The orange boxes indicate systems that are under presumed control/surveillance by Chinese Spy Agencies; the blue box is what only you control.  You already know that the Chinese spy agency has full access to everything at your Chinese bank - that's how they got you to install the spyware in the first place.  Now, because they control the software provided by the Chinese Bank, they have access to whatever system you installed it on, too.  If you only ever put information destined for the Chinese bank into the dedicated laptop, you won't give the spy agency anything they wouldn't have already - they now just get it one step earlier.  

The important part is to build it so that the sharing decision is made in the blue system and pushed to the dedicated orange laptop.  Never let the orange one initiate except to the Chinese bank.  This ensures that the Chinese Spy Agency can't move in the opposite direction and break into your blue systems.  Old-timey security engineers call this a firewall, but you can use nontechnical ways to do it too:

  • emailing attachments from an account only accessible on the left system to an account only used on the right and creating a rule to delete any email that goes the other way
  • using a usb key to move files and wiping it after every use.  
  • setting up an sftp server on the dedicated system and accessing it from the secret system to deposit files.

 

Think of your dedicated laptop just like a bank teller drive-thru: you technically own it, but people still get mugged there.   It belongs outside, with strong walls and fancy pneumatic tubes that let you control which of your stuff actually gets out there.

pneumatic tubes at the bank's drive-thru

 

You don't even need a dedicated laptop - for less than $10/month, Microsoft or Amazon will lease you a functional replacement in their datacenter that will never fail and can't be stolen.  

Impossible to Protect: hogwash!

In the last quoted paragraph, Steve throws up his hands at the idea of protecting yourself from the Chinese government.  "It's impossible!" he says, citing Chinese auditors that install things when they check your systems.  

It's not impossible, and it's not even that difficult.  Malicious traffic-sniffing devices left by Secret Spies aren't that difficult to find and remove, and encrypting all your traffic easily bypasses them.  That's why the United States law enforcement is so eager to outlaw effective encryption: it works at keeping secrets.  

The easiest way: Get rid of your servers

One of the best ways you can avoid Steve's doom-and-gloom scenario is to segregate your systems by design.  There is no reason why your HR portal should trust your bookkeeping software - why even have them on an internal network?   Use a well-regarded SaaS HR system and SaaS book-keeping system.  If you have to plumb them together, think about what they need to say to each other, and only let them say that.  The organizations with the best security have even given up on "internal networks" altogether because they give you a false sense of security - exactly what Steve is talking about.  

This also works if you have operations in China.  Assume that Chinese agencies access everything those operations do.  You can still segment your data and systems.  If there are secrets you want to keep from China, keep them in systems unavailable to your Chinese operations or staff.  

Even if your auditor is a spy, an audit of a segregated environment will only show them the parts of the company relevant to their audit scope.  You can naturally limit what they can see and do - you also usually get fewer audit findings because they can't examine as much stuff. 

Segmenting your systems and data works for big companies and it can work for you.  It's often cheaper, more resilient, and more resistant to any security threat, Chinese or not.  

Want help segregating your systems?  Get help today.