The administration of U.S. President Joe Biden is investigating China Mobile, China Telecom and China Unicom over concerns that the firms could exploit access to American data through their U.S. cloud and internet businesses by providing it to Beijing, three sources familiar with the matter said.
Authorities at the Commerce Department are running the
investigation, which has not been previously reported. They have subpoenaed the
state-backed companies and have completed "risk-based analyses" of
China Mobile and China Telecom, but are not as advanced in their probe of China
Unicom, the people said, declining to be named because the probe is not public.
The companies still have a small presence in the United
States, for example, providing cloud services and routing wholesale U.S.
internet traffic. That gives them access to Americans' data even after telecom
regulators barred them from providing telephone and retail internet services in
the United States.
The Chinese companies and their U.S.-based lawyers did not
respond to requests for comment. The Justice Department declined to comment and
the White House referred questions to the Commerce Department, which declined
to comment.
The Chinese Embassy in Washington said it hopes the United
States will "stop suppressing Chinese companies under false
pretexts," adding that China will continue to defend the rights and
interests of Chinese companies.
The investigation is the latest effort by Washington to
prevent Beijing from exploiting Chinese firms' access to U.S. data to harm U.S.
companies, Americans or its national security as part of a deepening tech war
between the geopolitical rivals. It shows the administration is trying to shut
down all remaining avenues for Chinese companies already targeted by Washington
to obtain U.S. data.
Regulators have not yet made decisions about how to address
the potential threat, two of the people said. But, equipped with the authority
to probe internet services sold into the U.S. by companies from "foreign
adversary" nations, regulators could block transactions allowing them to
operate in data centers and route data for internet providers, the sources
said.
Blocking key transactions, in turn, could degrade the
Chinese firms' ability to offer competitive American-facing cloud and internet
services to global customers, crippling their remaining U.S. businesses,
experts and sources said.
"They are our chief global adversary and they are very
sophisticated," said Doug Madory, an internet routing expert at internet
analysis firm Kentik. "I think (U.S. regulators) would not feel like they
were doing their job if they weren't trying to shore up every risk."
Routing through China
China Telecom, China Mobile and China Unicom have long been
in Washington's crosshairs.
The Federal Communications Commission denied China Mobile's
application to provide telephone services in 2019 and revoked China Telecom and
China Unicom's licenses to do the same in 2021 and 2022 respectively. In April,
the FCC went further and barred the companies from providing broadband service.
A spokesman for the FCC said the agency stands by its concerns.
One factor in the FCC's decision was a 2020 report from
other U.S. government agencies that recommended revoking China Telecom's
license to provide U.S. telephone services. It cited at least nine instances
where China Telecom misrouted internet traffic through China, putting it at
risk of being intercepted, manipulated or blocked from reaching its intended
destination.
"China Telecom's U.S. operations ... provide Chinese
government-sponsored actors with openings to disrupt and misroute U.S. data and
communications traffic," authorities said at the time.
China Telecom denied the government's allegations and told
U.S. agencies that routing problems are common and occur on all networks.
The telecoms company sought to reverse the FCC decision, but
a U.S. appeals court rejected its arguments, noting that the agencies presented
"compelling evidence that the Chinese government may use Chinese
information technology firms as vectors of espionage and sabotage."
Access points, cloud under scrutiny
The Chinese telecoms companies' reach extends deep inside
the U.S. internet infrastructure.
According to its website, China Telecom has eight American
Points of Presence (PoPs) that sit at internet exchange points, which allow
large-scale networks to connect to one another and share routing information.
China Telecom did not respond to requests for comment about
its U.S.-based PoPs.
According to the FCC, there are "serious national
security and law enforcement risks" posed by PoPs when operated by firms
that pose a national security risk. In cases where China Telecom's PoPs reside
in internet exchange points, the company "can potentially access and/or
manipulate data where it is on the preferred path for U.S. customer
traffic," the FCC said in April.
Bill Woodcock, executive director of Packet Clearing House,
the intergovernmental treaty organization responsible for the security of
critical Internet infrastructure, said traffic flowing through these points
would be vulnerable to metadata analysis, which can capture key information
about the data's origin, destination, size and timing of delivery. They also
might allow for deep packet inspection, where parties can glimpse the data's
contents, and even decryption.
Commerce Department investigators are also probing the
companies' U.S. cloud offerings, the focus of the 2020 referral from the
Justice Department on China Mobile, China Telecom and Alibaba that prompted the
investigations, the people said. The probe was later expanded to include PoPs
and China Unicom, whose cloud business was small at the time of the referral,
two of people added.
Alibaba did not respond to a request for comment.
Regulators fear that the companies could access personal
information and intellectual property stored in their clouds and provide it to
the Chinese government or disrupt Americans' access to it, two of the sources
said.
Commerce Department officials are particularly concerned
about one data center that is part-owned by China Mobile in California's
Silicon Valley, according to one of the sources.
China Mobile did not respond to requests for comment about
the data center.
Ownership of a data center provides greater opportunity to
mishandle client data, according to Bert Hubert, a Dutch cloud computing expert
and former member of a board that regulates Dutch intelligence and security
agencies.
He noted that ownership would make it easier to meddle with
clients' servers at night, for example, by installing back doors to enable
remote access or bypass encryption. Those actions would be much tougher in a
data center with strict security policies where the company merely leases
space.
"If you have your own data center you have your own
unique piece of China within the U.S.," he said.
0 comments:
Post a Comment