BEIJING -- China’s Great Firewall is coming to a computer near you.
What may be the world’s biggest censorship and Internet monitoring operation does not just affect netizens in China, it is becoming a potential concern for Internet users elsewhere in the world, experts say. News that China is building that firewall steadily higher only heightens those concerns.
For a start, Web browsers all over the world now trust the Chinese government to tell them which Web sites are genuine. That is increasingly dangerous as Chinese hackers target foreign Web services to steal users’ data, allegedly at the behest or with the connivance of the Chinese government. An attack on Microsoft Outlook last month underscores that risk.
Then there is the question of China’s growing demands for the keys to global operating systems -- demands that China is making on foreign IT firms as a condition for doing business here.
Last week, foreign business groups -- including the American Chamber of Commerce in China and the U.S. Chamber of Commerce -- wrote to the Chinese government to protest new rules that would force companies in the banking and telecoms sectors to use only “secure and controllable” IT services -- in other words, services the Chinese government can monitor. An ongoing review of cybersecurity in general, which includes the testing and auditing of foreign IT firms and services operating here, threatens to widen those restrictions.
“The above policies dictate that in order to qualify as ‘secure and controllable,’ ICT products and services must undergo intrusive security testing, contain indigenous Chinese intellectual property (IP) (e.g., local encryption algorithms), comply with Chinese national standards, and restrict the flow of cross-border commercial data,” the letter complained, according to the Nelson Report, which published a copy last week. “The same policies also mandate that vendors file sensitive IP, such as source code, with the Chinese government.”
While foreign firms are reluctant to comply, the potential for vast profits here makes refusal potentially costly and compliance tempting. And to the extent that they do comply, experts say, the companies' hardware and software become vulnerable to Chinese hackers who could obtain those keys.
Apple, which last week posted the biggest quarterly profits in its history thanks partly to booming sales of the iPhone 6 in China, has already reportedly agreed to submit its products to China’s audit and has already begun storing iCloud data for Chinese users on encrypted servers in China. The company insists it will always protect its users’ data, but Charlie Smith, a founder of the GreatFire.org group who uses a pseudonym for security reasons, says it has become a question of trust.
“By handing over their source code to the Chinese authorities, they are giving them the ability to identify and perhaps exploit any vulnerabilities in their code,” he wrote in an e-mail.
“Foreign companies who wish to do business in China are bending over backwards to comply with the authorities in exchange for market access,” he wrote, citing examples of LinkedIn submitting to Chinese censorship and Yahoo handing over e-mails to Chinese authorities. “Are there any limits to what companies will do to sell more product? I think history has shown the answer to this question to be a definitive ‘no.’”
This sort of thing might directly affect Chinese dissidents living abroad and their supporters more than it affects ordinary people, but it does extend the tentacles of China’s Internet monitoring operation into Western countries.
There are other risks too. Last month, Chinese hackers carried out a “man-in-the-middle” or MITM attack on users of the Microsoft Outlook e-mail service, following similar attacks on users of Yahoo, Google and Apple services late last year.
Greatfire.org, which dedicates itself to fighting online censorship here, said it suspected that attack was carried out with the connivance or at the behest of the Cyberspace Administration of China, with the apparent intent not only of stealing data but also of cracking down on users of a communication method the government cannot easily monitor.
Raising alarm bells, news emerged in December that the Cyberspace Administration of China was now in charge of the China Internet Network Information Center (CNNIC), the authority that issues digital certificates to Web sites here and tells users that they are safe to visit.
Companies such as Microsoft, Apple and Mozilla, which produces the popular Firefox browser, all trust CNNIC’s certificates. What that means is that your computer potentially now trusts the same people who are ordering the hacking attacks, GreatFire.org and others argue.
“CNNIC can issue certificates to intercept encrypted communications without your knowledge,” GreatFire.org’s Percy Alpha wrote in a blog post, again using a pseudonym. That leaves “usernames, passwords, text messages, emails, photos, contacts and even financial information” vulnerable to being acquired by the Chinese authorities -- whether users are in China or abroad.
To be fair, the Chinese government is not the only one your browser probably trusts. Despite reports that the U.S. National Security Agency is engaged in a similarly massive effort to spy on its own citizens’ communications, certificates issued by the U.S. Department of Defense are also widely trusted.
What that means, according to Kevin Bocek, vice president of security strategy and threat intelligence at the cybersecurity firm Venafi in San Francisco, is that the Internet’s own immune system is capable of being turned against users anywhere in the world, giving governments the ability to “take control of our browsers and our smartphones.”
“The architects of the Internet would never have thought in their wildest dreams that the U.S. Department of Defense, the Chinese and other governments, would be trusted by our browsers,” he said. “This is a whole new level of risk.”