GitLab considers ban on new hires in China and Russia due to espionage fears

Companies are afraid that future GitLab support staff in China and Russia might steal their data, or be coerced by foreign intelligence services to pass on trade secrets.

GitLab

Image: GitLab, ZDNet

Code hosting platform GitLab is considering blocking new hires from countries such as China and Russia.

Eric Johnson, VP of Engineering at GitLab, said discussions on banning new hires from the two countries began after enterprise customers expressed concerns about the geopolitical climate of the two countries.

GitLab is a service akin to GitHub, where companies can host source code projects and have their employees work on the code, synchroonizing it to a cloud-hosted server. Companies can also host their own version of GitLab locally, using an eponymously named platform. Companies pay GitLab for access to various enterprise features, and if something goes wrong, GitLab staff provide support.

If approved, the hiring ban will apply to two positions; namely Site Reliability Engineer and Support Engineer, the two positions that handle providing tech support to GitLab's enterprise customers.

Johnson said these two support staff positions have full access to customers' data, something that companies had an issue with, especially if tech support staff was to be located in countries like China and Russia, where they could be compromised or coerced by local intelligence services.

Johnson said GitLab does not have "a technical way" to support a data access permission systems for employees based on their country of origin.

"Doing so would also force us to confront the possibility of creating a 'second class of citizens' on certain teams who cannot take part in 100% of their responsibilities," Johnson said.

Fears of malicious insiders

The new "hiring ban" is not yet final. Open conversations on the topic started last month, and are scheduled to end November 6.

The discussions began a day after CrowdStrike published a report detailing how China's cyber-espionage agents recruited insiders at western companies to help hackers steal intellectual property (IP) to help state-owned companies build the Comac C919 airplane, a Boeing competitor.

There is a general train of thought that both Russian and Chinese intelligence agencies might use the same blueprint and plant agents or coerce GitLab staff into handing over data belonging to western companies.

GitLab was not immediately available for additional comments.

In a HackerNews post, GitLab CEO Sid Sijbrandij said the company currently does not employ any support staff from China or Russia, so the future ban won't lead to anyone losing their jobs.

Based on opinions shared by GitLab staff in the open discussions, the ban is most likely to be approved when the public consultation period ends on Wednesday.

Once the new hiring ban is approved, GitLab support staff members would also not be allowed to move to China or Russia.

GitLab said the ban wouldn't apply to other job roles or activities, such as accepting code contributions to its open-source code from Chinese or Russian developers. Both Johnson and Sijbrandij said that all contributions to the site's open-source products are vetted by employees, so any malicious code would be detected.