In an effort to keep DHS.gov current, the archive contains outdated information that may not reflect current policy or programs.
Today, the Department of Homeland Security issued a business advisory to American businesses warning of risks associated with the use of data services and equipment from firms linked to the People’s Republic of China (PRC).
The PRC presents a grave threat to the data security of the U.S. government and U.S. businesses. It has both the intent and ability to covertly access data directly through entities under the influence or jurisdiction of PRC laws, often without the knowledge or consent of the non-PRC businesses or institutions that maintain rights to the data.
“For too long, U.S. networks and data have been exposed to cyber threats based in China which are using that data to give Chinese firms an unfair competitive advantage in the global marketplace,” said Acting Secretary of Homeland Security Chad F. Wolf. “Practices that give the PRC government unauthorized access to sensitive data – both personal and proprietary – puts the U.S. economy and businesses at direct risk for exploitation. We urge businesses to exercise caution before entering into any agreement with a PRC-linked firm.”
This advisory highlights the persistent and increasing risk of PRC government-sponsored data theft due to newly enacted PRC laws that can compel PRC businesses and citizens – including through academic institutions, research service providers, and investors – to take actions related to the collection, transmission, and storage of data that runs counter to principles of U.S. and international law and policy. Such activities include requiring companies to store data within PRC borders and turning over routine data to the PRC government under the pretense of national security. The advisory also highlights the PRC’s history of manipulation, misuse, and exploitation of that data to serve PRC business and economic goals.
Any person or entity that chooses to procure data services and equipment from PRC-linked firms, or store data on software or equipment developed by such firms, should be aware of the economic, reputational, and, in certain instances, legal, risks associated with doing business with these firms.