cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rdhdallas
Viewer

China and laptop encryption

Hello all,

 

I'm reaching out to this knowledgeable group for direction.  My current company is about to expand it's business into China and I'm not having much luck tracking down the current China law on bringing encrypted devices into China. 

 

Any pointers on where I can find current information?

 

Thanks,

 

Robert

5 Replies
str12
Viewer II

Try the Chinese Consulate.

T0deaC
Viewer III

What specific encrypted devices and what scenario you are talking about? Generally, the national cybersecurity law and OSCCA does care about any crypto products to be used in China.

 
T0deaC
Viewer III

better reach out to USITO.

 
dhouser
Newcomer III

I am not a lawyer, but I've been on multiple big projects launching into China with enormous investment $$$ floating around, so have a bit of experience.  Consider this advice, and not authoritative.

 

There aren't hard and fast rules. It's all geo-political, and risk-based decisions.

 

 

If you're a technology company, the answers might be different, particularly if your corporation is on unfriendly terms with China (I'm looking at you Google) or if Snowden papers showed your firm colluded w/ the NSA.  But, let's presume you're not on that small list.

 

Basically, they're not going to care what laptop OS or crypto your team members are carrying flying into China, doing business, and flying home.  Could they?  Absolutely, your guys could be back-roomed at the border.  Will they?  Almost certainly not.  The dreaded, "They're going to ask for our keys" seems an exception rather than the rule, and is more common to network infrastructure than executive laptops.  I think the better questions are, "What should {execs/privileged account holders} carry into China? What contingency & OpSec plans should be utilized while there?  What should happen upon return?"

 

For deployment into China, you're not going to want to import anyway, because that gets you into import/export restrictions, tariffs, and all kinds of headaches.  Buy equipment local, software local, install local and you'll be fine.  Will your supply chain be secure? Nope.  But, are you going to frisk the cleaning crew every night?

 

This is a very complex field full of land mines... and I don't want to write a book on here because part of my consulting practice is supply chain security assessment, and helping firms make entry into new markets, China in particular, navigating privacy & security concerns. As I said, there aren't hard & fast rules, so I can't provide absolutes that, "if you do this, then XYZ will be true".

 

Happy to chat over a coffee. 🙂

 

-ddh

-ddh__________
Dan Houser, CISSP-ISSAP-ISSMP CSSLP CCSP
#20889
Early_Adopter
Community Champion

IANAL.

 

Agree with dhouser, getting shaken down for decryption keys is probably quite unlikely.

 

Bit locker is not a great option if it needs TPMs in PRC, you can take them in OK but PCs in china are not sold with them.

 

You will be more likely to need to secure your Cinese companies laptops working as part of you r expansion.

 

For Foreign Invested Enterprises (FIEs) it is permissible to import encryption products as long as you follow the right forms around business licenses etc. Foreign-developed encryption products may be imported into China for internal use only by FIEs.

 

FIEs include Sino-foreign equity joint ventures, Sino-foreign cooperative joint ventures, wholly foreign-owned enterprises, foreign-invested joint stock limited companies, etc

Foreign Invested Commercial Enterprises (FICEs) can act as importer. There are certain document requirements: SEMB Import and Use permit from the FIE customer, Import Agent Agreement between the customer and the FICE, Import Contract between the oversees seller, FICE, and the customer in China.

 

So likely any laptop encryption project you run in PRC is going to use software from McAfee, Checkpoint or Symantec. Seem to remember Sophos mostly focuses on bit locker management and the other disk encryption vendors are quite niche.

 

I've traveled to China with encrypted laptops before, WDE and FileVault and never had any Issues - doesn't mean you won't though.

 

Again all of this is potentially subject to change, could be wrong and your best option is to speak to a reputable law firm.

 

https://www.freshfields.com/en-us/our-thinking/campaigns/digital/data/china-rules-on-encryption/