China Passes Law that Allows the State to Pen-Test Anyone in the Country

• The Ministry of Public Security will now be allowed to perform penetration tests to anyone.
• New provisions on an already controversial law will free Chinese authorities from any constraints.
• Experts warn that this is all about local and foreign citizen data collection and infliction of control.

The Chinese government has enriched their 2017 cybersecurity law by adding provisions that allow state agencies to legally conduct penetration testing sessions to anyone online in the country. As the new provisions foresee, all companies and organizations that use more than five computers that are connected to the internet are now candidates for a pen-test by the Ministry of Public Security (MPS). These modifications and additions are supposedly introduced to increase the security of the people of China, ensure that databases are adequately protected and that no data leaks or other serious cybersecurity incidents occur.

However, and considering the overall function of the particular Ministry, the people’s security is probably just the official justification, while the main point is to render higher levels of intrusive interventions legal. The Chinese government wants to have full control of all online entities in the country, and why ask for their permission to perform inspections on their infrastructure when they can do so whenever they want, and without even having to inform them of the fact? The following list of provisions is indicative of what value the Chinese authorities give to people’s right to privacy.

• Conduct in-person or remote inspections of the network security defenses taken by companies operating in China.
• Check for "prohibited content" banned inside China's border.
• Log security response plans during on-site inspections.
• Copy any user information found on inspected systems during on-site or remote inspections.
• Perform penetration tests to check for vulnerabilities.
• Perform remote inspections without informing companies.
• Share any collected data with other state agencies.
• The right to have two members of the People's Armed Police (PAP) present during on-site inspection to enforce procedures.

What experts make of the above is that China wants to intensify their data collection practices, and so getting their hands into anyone’s database is a great way to achieve this. After all, the provision for the “copying any user information found during the inspections” is clearly showing their intentions. The vagueness that underpins these new provisions isn’t leaving much room for specific exclusions or limitations in any of them either. After this move, the people of China and every foreigner who lives in the People's Republic have woken up to an even cloudier day for their online rights.

Would you accept this enforced penetration tests, or would you take your company/organization away from China after the new provisions that were added in the relevant Cybersecurity law? Share your thoughts below, or on our socials, on Facebook and Twitter.