Guest Blog By Holly Dragoo
In November 2016, the National People’s Congress (NPC) of China passed the Chinese Cybersecurity Law (CSL), governing a broad range of issues from securing personal information to data leaks and governance, to hacking. International technology firms are especially concerned, however, as the law uses ambiguous verbiage that could create new barriers for trade. The law went into effect 1 June 2017.
Leadership within the Chinese government has grappled with how to control the Internet, big data, and telecommunications in general for years. Measures on how to handle personally identifiable information (PII) and critical infrastructure data, along with China’s National Security Law of 2015, are part of a growing body of regulations showing the continued resolve to “maintain sovereignty” in this area. The new CSL actually encompasses several initiatives dating back to the 12th Five-Year Plan in 2011, where the NPC openly stated a goal to robustly strengthen management of the Internet. With its promulgation, leaders have now effectively linked cybersecurity with national security, a symbolic step forward in a comprehensive national plan addressing all things cyber. By extension, officials have created an artificial sense that violations of the law are risks to national security rather than consumer rights or privacy, which has businesses anxious to be seen as compliant, at significant costs. Penalties for non-compliance with the CSL range from steep fines to cancellation of business licenses.
With the CSL, Chinese leaders have effectively linked cyber security to national security
The CSL comprises 79 articles, but boils down to about three core areas of concern for international trade:
- Mandatory physical data storage in Mainland China
- Mandatory security inspections of equipment prior to sale and/or network installation
- Mandatory law enforcement assistance and data retention regulations
Residency requirements for data have been anticipated in China for some time, with subtle hints of intentions in cultural themes and industry regulations, and seen in early drafts of laws. Some companies have been preparing for it by boosting inventories of storage equipment and even stopping data flows to foreign-owned companies within China that have the capacity to store data in country. Most have not taken action yet, waiting to see how enforceable the law will be. All eyes are now on Apple as the first foreign firm since the CSL went into effect to announce construction of an iCloud data center in Guizhou, in a joint venture with local firm Guizhou Cloud Big Data Industry Co Ltd (GCBD). Additionally, revelations about U.S. government access to internet service providers via the Snowden disclosures has created a culture of distrust and the misguided idea that keeping data closer to home will avoid prying eyes.
Mandatory security reviews add another layer of frustration in an already murky government-centered testing and certification environment. The problems are thickest when dealing with official procurement contracts. Handing over encryption, source code or other key intellectual property to government officials in the name of national security is perceived by many to be yet another thinly veiled way to encourage piracy or favor domestic companies like Alibaba and Huawei over imported counterparts. Microsoft has had limited sharing agreements with China on its Windows software source code since 2003, but in 2011 CEO Steve Ballmer publicly decried the 95% loss of revenue in China due to piracy. National technology standards that differ from internationally agreed upon standards – particularly in the telecommunications sector – are already problematic in the same way, set up to award contracts to indigenous partners who may or may not have a leg up in knowing how to secure approvals. Furthermore, there is a risk that if PRC regulators discover a security flaw in a foreign product, they would convert it into an offensive exploit available for use in espionage or cyberattack. While there’s no guarantee that inspections will yield a trove of zero day flaws for the PRC government, the law of averages suggests that a steady stream of new proprietary information will be beneficial.
Sharing threat or data breach information with law enforcement is not necessarily unreasonable in principle. However, corruption is still rampant in military, law enforcement, and civil service sectors in China. When wholly state-owned enterprise leaders are de facto government bureaucrats (often installed by Communist Party officials), practically immune from lawsuits and not accountable to outside shareholders, the lines between law enforcement and competitive enterprises get very blurry. As such, companies are naturally hesitant to embrace this requirement, as even the most benign threat tip may reveal aspects of internal network configurations or proprietary data. Aggressive intelligence gathering on foreign companies via network intrusions by the PLA also contributes to the legitimate fear that sharing threat information with law enforcement is tantamount to inviting the PLA onto your networks.
The verbiage of these articles (Art. 37, 38, and 35 respectively) is up for wide interpretation, and attempts further clarify them often fail. For example, “network operators,” listed in the Chapter 7: Supplementary Provisions section, is defined as ‘network owners, managers and network service providers’ (Art. 76.3). Does that include businesses that lease equipment/space or otherwise contract out services, or not? Entities running utility, finance, telecommunication or other ‘critical information infrastructure’ networks must adhere to extra requirements. These are not insignificant: establishing security management procedures, national security-approved equipment, mandatory audit logs and disaster recovery backups; making the definitions of such terms crucial in determining preparatory costs. Furthermore, what constitutes ‘critical information infrastructure operators/areas’ and ‘other important data,’ are also key phrases yet to be articulated, although it’s likely efforts to provide guidance won’t be much more specific.
Uncertainty surrounding the law makes it difficult for companies to prepare adequately and in a timely manner. The General Data Privacy Regulations (GDPR) of the European Union (set to go into effect in 2018) and the “Enhanced Cyber Risk Management Standards” (under review by U.S. banking regulators) are two other current initiatives affecting multi-national corporations, consuming vast amounts in preparatory expenses. Interestingly enough, there are several parallels between the CSL and the GDPR, particularly in the principles governing PII. Both laws are rooted in a shared desire for accountability (Art. 40), transparency and lawfulness (Art. 41), full disclosure of leaks or breaches (Art. 42), collection and usage statements (Art. 40), and even the right to correct information or be deleted (Art. 43). The CSL does not apply extra-territorially, in contrast to the GDPR, which applies to data and businesses located out of its geopolitical borders. Nevertheless, this legal trend has far-reaching effects that has companies calculating liabilities now, to avoid painful regulatory burdens later.
Signs suggest Chinese lawmakers are aware or just becoming mindful of the full impact of the CSL beyond network security matters. International business leaders have lobbied to delay full implementation of the law, but no official changes have been made to date. According to the New York Times though, the Internet regulatory body Cyberspace Administration of China (CAC), has authorized the delay of restrictions on cross-border data flows until the end of 2018. Chinese enterprises desperately need international data portability for daily operations. In the end, domestic economic drivers like this may pressure the government to seek flexible interpretations of the law, allowing some room for corporate concessions.
Concern about how the CSL will affect trade is substantial and not unfounded. Technology sector companies are already at a competitive disadvantage with Chinese markets due to factors like piracy, a lack of enforcement of intellectual property (IP) laws, and Chinese laws such as the Anti-Unfair Competition Law and the Anti-Monopoly Law already seemingly offer protections, albeit not overtly, to Chinese state-owned enterprises. The 2016 U.S. National Trade Estimate (NTE) notes that sales in software products to China are disproportionately lower than in other markets with stronger IP protection laws. These statistics will only be exacerbated by the CSL, in part due to expected artificial demand for Chinese-produced alternative goods, unnaturally affecting market forces. Stimulating domestic production may be seen as a positive byproduct of the CSL internally, but if foreign businesses aren’t able to retain their proprietary information in an environment already rife with counterfeits, they will take their business to other markets, ultimately hurting the Chinese economy.
Guest Blog by Holly Dragoo
Here is another article on the same topic, which gives some examples of implementation:
https://www.nytimes.com/2017/07/12/business/apple-china-data-center-cybersecurity.html
Best,
Richard