China legalises penetration testing of local companies by state agencies

The new cybersecurity law in China makes it legal for state agencies to initiate penetration testing of local companies without any repercussions, legal or otherwise. Apart from that, they are also within their rights to share their findings with others.

Any Chinese company involved in providing Internet-related services and operating more than five internet-connected computers can become a target. The new changes came in effect on the 1st of November 2018.

From now on, the Ministry of Public Security (MNS) will be allowed to perform a variety of tests and actions, including the following:

– Conduct remote inspections without having to inform the targeted organisation

– Copy any user information discovered during the investigation

– Check whether the targeted system contains any content that’s prohibited in China

– Share the data discovered with other state agencies

– Conduct penetration tests

Industry experts keep warning us that the new provisions are nothing but a mask for China’s questionable data collection practices. Moreover, the new law doesn’t require the penetration testing conductor to issue a notification to the targeted company; the latter isn’t even entitled to receive a report of their findings.

Why should this concern us? For starters, please keep in mind that any user that’s logged into their systems can become the target of inspection. Also, the law provisions are rather vague, as they don’t clearly specify which data MPS officials are allowed to copy – including the ones pertaining to foreigners.