Thank you for this. I would certainly hope that NSA/CIA will have hardened their own IT infrastructure, but my question could perhaps be better phrased along the lines of "Does CPC surveillance/penetration of *general civilian networks and/or individual machines* now approach or even surpass that which we can assume NSA/CIA currently can or do exercise?" Again, this has become a much more immediate concern in the context of NSL Article 38, which attempts to "criminalize violations of the law committed by *anyone anywhere in the world*" (my emphasis). See, for example, Donald Clarke's recent posts at the China Collection blog: -- https://thechinacollection.org/hong-kongs-national-security-law-first-look/ -- https://thechinacollection.org/hong-kongs-national-security-law-dangerous-article-38/ and -- https://thechinacollection.org/article-38-hong-kongs-national-security-law-yes-want-get/ Clarke and his group do not strike me as particularly alarmist.)