The Standing Committee of the National People’s Congress, on November 7th, 2016, formally passed China’s first comprehensive, all-inclusive security regulation for cyberspace and stands to take effect June 1st, 2017.
The Booz Allen Cyber Power Index 2014 placed China in thirteenth place in terms of its 2015 global cyber power ranking, whereas the US ranked second. The disparity in ranking despite the two nations’ impressive cyber infrastructure is because of the different cyber philosophies at play – for the West, a keen focus on risk-based, consumer protective approaches through securing cyber security measures by establishing stiff regulations in place to punish breaches and facilitate standard setting.
China’s approach, however, of using the law as a cyber regulatory tool is attached to its using the internet to build up a domestic information economy and secure network infrastructure that directly benefits national economic development and political stability.
By applying tight controls over its domestic internet to advance its economic, political, and military interests, the approach to what is required shifts from protecting consumers’ data to preventing attacks that threatened party objectives. For China, protecting domestic structures is at the heart of cyber law reform and one can certainly see such a move in the latest pronunciation of CSL.
By applying tight controls over its domestic internet to advance its economic, political, and military interests, the approach to what is required shifts from protecting consumers’ data to preventing attacks that threaten party objectives. For China, protecting domestic structures is at the heart of cyber law reform and one can certainly see such a move in the latest pronunciation of CSL.
Contents and Implementation
The new law will require domestic and international software companies, network-equipment makers and other technology suppliers to disclose their proprietary source code – the core component and intellectual property running their software – in order to prove that their products cannot be compromised by hackers. Secondly, the government wants firms which operate in “critical” areas to store any personal information or important data that they gather in China, within China’s borders.
On a fundamental level, the law’s definition of ‘critical’ is rather vague and expansive, but it is clear that it would apply to commonly accepted areas such as ICT services, energy, transport, water resources and finance. The latter of these new requirements can be seen as rather strenuous on smaller companies, particularly those in the social media sphere. The longer the company operates, the more data that it will collect from within China, thus more storage space will be required, with further expenses to acquire this storage in China.
What It Targets
Critical information could include both personal and business information and data, yet there is an exception identified in the law, that data localisation is not necessary for information where “due to business requirements it is truly necessary to provide [data] outside the mainland.” However, to be able to take advantage of such an exception, firms must undergo a State Council investigation and oversight process, the specifics of which are currently unknown.
The new Cyber Security Law (CSL) targets operators of Critical Information Infrastructures (CIIs) and network operators, both of which currently lack substantial definitions within the law. So far, Network Operators have been designated as ‘an operator of basic telecommunication networks, internet information service providers and key information systems,’ but this is still vague. One can argue that, with only three months to go, firms are left with little time to adapt, amend and put out new features to comply with Chinese regulations. Failure to adhere to the new laws can result in penalties including fines.
What It Means for Companies
Key provisions can cause concern for tech companies, particularly those of a Western persuasion. An example given is CIIs, such as messaging or communication services being restricted to providing access to their service only if a user registers with their real identities. As a result, anonymity is directly attacked.
The initial reception of these regulations was negative, especially from multinational corporations like Microsoft and Apple, which typically rely on daily cross-border flows of business data. This is compounded by the worry that the law will not only require additional expenses in regards to new investments but additionally increase the risk of data theft. Further, companies will be required to obtain security certifications for important network equipment and software.
Foreign firms expressed a fear that this might be used to pressure them into turning over security keys and other patented software to the state which would then be disseminated to state-owned rivals. This would hit Western firms the hardest, potentially even barring them from China’s still growing market. Such a worry was highlighted by Michael Clauss, Germany’s ambassador to China, who expressed that the new “security rules might be used to pursue other aims” including industrial policies favouring Chinese companies.
From a cyber security perspective, China appears to have adopted a shelter mentality, concerned more with domestic protectionism than actively reassuring cyber defences and rooting out cyber criminals, a position that lends itself poorly to cross-border cooperative security operations and efforts, weakening China’s ability to defend itself in the long-run.
The Main Issues
The vagueness and currently inadequate information surrounding the processes will make it difficult for firms to create a compliance strategy in time for the launch date. Faced with diametric options of complying or risking exclusion from China, firms will be hard pushed to educate themselves on the legal provisions, whilst also facing pressure from investors and stakeholders.
Furthermore, such a law could stifle innovation. The law would pressure foreign firms to comply or risk exclusion. If firms do not comply, then their access to a large market could be prevented. One can see this as a barrier to foreign success, placing a bigger emphasis on domestic products. Consequently, this can be seen as “a new and unwelcome development which increases the cost and risk of doing business in China.”
For one, the near requirement of duplicate facilities in China for foreign companies to conduct business will certainly dissuade further investment – particularly if firms are wary of being asked to provide ‘back doors’ to the data – harming China’s path to further global integration. Certainly, there is no easy path, simply comply or do not conduct business in China.
On the one hand, firms will adhere to the new rules, understanding that there is a risk that private information can be viewed by the government, or firms can opt for option number two and risk penalties, including exclusion from the Chinese market. Firms will be weighing up these two options for the coming months, being more likely to opt in as the emerging Chinese market is not one to be missed out on, especially considering the more mature, stagnant, Western markets.
However, this does create the opportunity for national substitutes to rise and the placement of domestic champions, like Lenovo and Huawei, to eclipse foreign competition in the emerging market. All eyes will be on the government providing updates to the specifics of the legislation as the law is implemented. One thing that is for certain: whilst this does put pressure on foreign firms and tightens control of the internet, consumer protection, particularly Chinese consumers, is extended.