US probing China Telecom, China Mobile over internet, cloud risks

China Mobile

25/06/2024 19:00

(Updates Monday story to lawmaker comment)
    By Alexandra Alper
       WASHINGTON, June 24 (Reuters) - The Biden administration
is investigating China Mobile, China Telecom and China Unicom
over concerns the firms could exploit access to American data
through their U.S. cloud and internet businesses by providing it
to Beijing, three sources familiar with the matter said. 
        Authorities at the Commerce Department are running the
investigation, which has not been previously reported. They have
subpoenaed the state-backed companies and have completed
"risk-based analyses" of China Mobile  0941.HK  and China
Telecom  0728.HK , but are not as advanced in their probe of
China Unicom  0762.HK , the people said, declining to be named
because the probe is not public. 
    The companies still have a small presence in the United
States, for example, providing cloud services and routing
wholesale U.S. internet traffic. That gives them access to
Americans' data even after telecom regulators barred them from
providing telephone and retail internet services in the United
States.
    The Chinese companies and their U.S.-based lawyers did not
respond to requests for comment. The Justice Department declined
to comment and the White House referred questions to Commerce,
which declined to comment. The Chinese Embassy in Washington
said it hopes the United States will "stop suppressing Chinese
companies under false pretexts," adding that China will continue
to defend the rights and interests of Chinese companies. 
    Reuters found no evidence the companies intentionally
provided sensitive U.S. data to the Chinese government or
committed any other type of wrongdoing.
    The investigation is the latest effort by Washington to
prevent Beijing from exploiting Chinese firms' access to U.S.
data to harm companies, Americans or national security, as part
of a deepening tech war between the geopolitical rivals. It
shows the administration is trying to shut down all remaining
avenues for Chinese companies already targeted by Washington to
obtain U.S. data.
    Regulators have not yet made decisions about how to address
the potential threat, two of the people said. But, equipped with
the authority to probe internet services sold into the U.S. by
companies from "foreign adversary" nations, regulators could
block transactions allowing them to operate in data centers and
route data for internet providers, the sources said. 
    Blocking key transactions, in turn, could degrade the
Chinese firms' ability to offer competitive American-facing
cloud and internet services to global customers, crippling their
remaining U.S. businesses, experts and sources said. 
    "They are our chief global adversary and they are very
sophisticated," said Doug Madory, an internet routing expert at
internet analysis firm Kentik. "I think (U.S. regulators) would
not feel like they were doing their job if they weren't trying
to shore up every risk."
     
    ROUTING THROUGH CHINA 
    China Telecom, China Mobile and China Unicom have long been
in Washington's crosshairs. The FCC denied China Mobile's
application to provide telephone service in 2019 and revoked
China Telecom and China Unicom's licenses to do the same in 2021
and 2022 respectively. In April, the FCC went further and barred
the companies from providing broadband service. A spokesman for
the FCC said the agency stands by its concerns. 
    One factor in the FCC's decision was a 2020 report from
other U.S. government agencies that recommended revoking China
Telecom's license to provide U.S. telephone service. It cited at
least nine instances where China Telecom misrouted internet
traffic through China, putting it at risk of being intercepted,
manipulated or blocked from reaching its intended destination.
    "China Telecom's U.S. operations... provide Chinese
government-sponsored actors with openings to disrupt and
misroute U.S. data and communications traffic," authorities said
at the time.
    
        China Telecom has previously denied the government's
allegations and told U.S. agencies that routing problems are
common and occur on all networks. 
        The telecoms company sought to reverse the FCC decision,
but a U.S. appeals court rejected its arguments, noting that the
agencies presented "compelling evidence that the Chinese
government may use Chinese information technology firms as
vectors of espionage and sabotage."
    "As one of our top adversaries, China cannot and should not
ever be trusted to have access to Americans’ private data,” 
Republican congressman and chairman of the House Foreign
Services Committee Michael McCaul said in a statement to
Reuters. 
     
  
    ACCESS POINTS, CLOUD UNDER SCRUTINY
The Chinese telecoms companies' reach extends deep inside the
U.S. internet infrastructure.
    According to its website, China Telecom has 8 American
Points of Presence (PoPs) that sit at internet exchange points,
which allow large-scale networks to connect to each other and
share routing information.
    China Telecom did not respond to requests for comment about
its U.S. based PoPs.
    According to the FCC, there are "serious national security
and law enforcement risks" posed by PoPs when operated by firms
that pose a national security risk. In cases where China
Telecom's PoPs reside in internet exchange points, the company
"can potentially access and/or manipulate data where it is on
the preferred path for U.S. customer traffic," the FCC said in
April.
    Bill Woodcock, executive director of Packet Clearing House,
the intergovernmental treaty organization which is responsible
for the security of critical Internet infrastructure, said
traffic flowing through these points would be vulnerable to
metadata analysis, which can capture key information about the
data's origin, destination, size and timing of delivery. They
also might allow for deep packet inspection, where parties can
glimpse the data's contents, and even decryption. 
    Commerce investigators are also probing the companies' U.S.
cloud offerings, the focus of the 2020 referral from the Justice
Department on China Mobile, China Telecom and Alibaba that
prompted the investigations, the people said. The probe was
later expanded to include PoPs and China Unicom, whose cloud
business was small at the time of the referral, two of people
added. Alibaba did not respond to a request for comment. 
    Regulators fear that the companies could access personal
information and intellectual property stored in their clouds and
provide it to the Chinese government or disrupt Americans'
access to it, two of the sources said. 
    Commerce department officials are particularly concerned
about one data center that is part owned by China Mobile in
California's Silicon Valley, according to one of the sources. 
    China Mobile did not respond to requests for comment about
the data center.
        Reuters could not determine the reason for the
government's specific interest in China Mobile's data center,
but ownership of one provides greater opportunity to mishandle
client data, according to Bert Hubert, a Dutch cloud computing
expert and former member of a board that regulates Dutch
Intelligence and security agencies. 
    He noted that ownership would make it easier to meddle with
clients' servers at night, for example, by installing backdoors
to enable remote access or bypass encryption. Those actions
would be much tougher in a data center with strict security
policies where the company merely leases space.  
    "If you have your own data center you have your own unique
piece of China within the U.S.," he said. 
    

 (Reporting by Alexandra Alper; Additional reporting by David
Shepardson and Casey Hall; Editing by Chris Sanders and Anna
Driver)
 ((mailto:Chris.Sanders@thomsonreuters.com; +1 202-558-8254;
Reuters Messaging: rm://chris.sanders.reuters.com@reuters.net/))