US investigates China Telecom, China Mobile for security risks

The Biden administration is investigating China Mobile, China Telecom and China Unicom over concerns the firms could exploit access to American data through their US  cloud and internet businesses by providing it to Beijing, three sources familiar with the matter said.

Authorities at the Commerce Department are running the investigation, which has not been previously reported. They have subpoenaed the state-backed companies and have completed "risk-based analyses" of China Mobile (0941.HK), opens new tab and China Telecom (0728.HK), opens new tab, but are not as advanced in their probe of China Unicom (0762.HK), opens new tab, the people said, declining to be named because the probe is not public.

The companies still have a small presence in the United States, for example, providing cloud services and routing wholesale US internet traffic. That gives them access to Americans' data even after telecom regulators barred them from providing telephone and retail internet services in the United States.

The Chinese companies and their US-based lawyers did not respond to requests for comment. The Justice Department declined to comment and the White House referred questions to Commerce, which declined to comment. The Chinese Embassy in Washington said it hopes the United States will "stop suppressing Chinese companies under false pretexts," adding that China will continue to defend the rights and interests of Chinese companies.

Reuters found no evidence the companies intentionally provided sensitive US data to the Chinese government or committed any other type of wrongdoing.

The investigation is the latest effort by Washington to prevent Beijing from exploiting Chinese firms' access to US data to harm companies, Americans or national security, as part of a deepening tech war between the geopolitical rivals. It shows the administration is trying to shut down all remaining avenues for Chinese companies already targeted by Washington to obtain US data.

Regulators have not yet made decisions about how to address the potential threat, two of the people said. But, equipped with the authority to probe internet services sold into the US by companies from "foreign adversary" nations, regulators could block transactions allowing them to operate in data centers and route data for internet providers, the sources said.

Blocking key transactions, in turn, could degrade the Chinese firms' ability to offer competitive American-facing cloud and internet services to global customers, crippling their remaining US businesses, experts and sources said.

"They are our chief global adversary and they are very sophisticated," said Doug Madory, an internet routing expert at internet analysis firm Kentik. "I think (US regulators) would not feel like they were doing their job if they weren't trying to shore up every risk."

ROUTING THROUGH CHINA

China Telecom, China Mobile and China Unicom have long been in Washington's crosshairs. The FCC denied China Mobile's application to provide telephone service in 2019 and revoked China Telecom and China Unicom's licenses to do the same in 2021 and 2022 respectively. In April, the FCC went further and barred the companies from providing broadband service. A spokesman for the FCC said the agency stands by its concerns.

One factor in the FCC's decision was a 2020 report from other U.S. government agencies that recommended revoking China Telecom's license to provide US telephone service. It cited at least nine instances where China Telecom misrouted internet traffic through China, putting it at risk of being intercepted, manipulated or blocked from reaching its intended destination.

"China Telecom's U.S. operations... provide Chinese government-sponsored actors with openings to disrupt and misroute U.S. data and communications traffic," authorities said at the time.

China Telecom has previously denied the government's allegations and told US agencies that routing problems are common and occur on all networks.

The telecoms company sought to reverse the FCC decision, but a US appeals court rejected its arguments, noting that the agencies presented "compelling evidence that the Chinese government may use Chinese information technology firms as vectors of espionage and sabotage."

The Commerce Department "must rigorously use its...authorities to protect US data and infrastructure from Chinese companies like China Telecom," Republican congressman and chairman of the House Foreign Services Committee Michael McCaul said in a statement to Reuters. "As one of our top adversaries, China cannot and should not ever be trusted to have access to Americans’ private data,” he added.

China Telecom and its US attorney did not immediately respond to requests for comment on his remarks.

ACCESS POINTS, CLOUD UNDER SCRUTINY

The Chinese telecoms companies' reach extends deep inside the US internet infrastructure.

According to its website, China Telecom has 8 American Points of Presence (PoPs) that sit at internet exchange points, which allow large-scale networks to connect to each other and share routing information.

China Telecom did not respond to requests for comment about its US based PoPs.

According to the FCC, there are "serious national security and law enforcement risks" posed by PoPs when operated by firms that pose a national security risk. In cases where China Telecom's PoPs reside in internet exchange points, the company "can potentially access and/or manipulate data where it is on the preferred path for US customer traffic," the FCC said in April.

Bill Woodcock, executive director of Packet Clearing House, the intergovernmental treaty organization which is responsible for the security of critical Internet infrastructure, said traffic flowing through these points would be vulnerable to metadata analysis, which can capture key information about the data's origin, destination, size and timing of delivery. They also might allow for deep packet inspection, where parties can glimpse the data's contents, and even decryption.

Commerce investigators are also probing the companies' US cloud offerings, the focus of the 2020 referral from the Justice Department on China Mobile, China Telecom and Alibaba that prompted the investigations, the people said. The probe was later expanded to include PoPs and China Unicom, whose cloud business was small at the time of the referral, two of people added. Alibaba did not respond to a request for comment.

Regulators fear that the companies could access personal information and intellectual property stored in their clouds and provide it to the Chinese government or disrupt Americans' access to it, two of the sources said.

Chinese "cloud providers pose an unacceptable national security risk and should not be allowed to operate in the United States," Republican Congressman John Moolenaar, who chairs the House Select Committee on China, said in a statement. "I urge the administration to expand its investigation to include all (Chinese) cloud providers," he added.

Commerce department officials are particularly concerned about one data center that is part owned by China Mobile in California's Silicon Valley, according to one of the sources.

China Mobile did not respond to requests for comment about the data center.

Reuters could not determine the reason for the government's specific interest in China Mobile's data center, but ownership of one provides greater opportunity to mishandle client data, according to Bert Hubert, a Dutch cloud computing expert and former member of a board that regulates Dutch Intelligence and security agencies.

He noted that ownership would make it easier to meddle with clients' servers at night, for example, by installing backdoors to enable remote access or bypass encryption. Those actions would be much tougher in a data center with strict security policies where the company merely leases space.

"If you have your own data center you have your own unique piece of China within the US," he said.