A shelter mentality to cyber security
The Standing Committee of the National People’s Congress, on November 7th, 2016, formally passed China’s first comprehensive, all-inclusive security regulation for cyberspace.
The Booz Allen Cyber Power Index 2014 placed China in 13th place in terms of its 2015 global cyber power ranking, whereas the US ranked second. The disparity in the ranking is because of the different cyber philosophies at play — for the West, a keen focus on risk-based, consumer protective approaches through securing cyber security measures by establishing stiff regulations in place to punish breaches and facilitate standard setting.
China’s approach, however, of using the law as a cyber regulatory tool is attached to its using the internet to build up a domestic information economy and secure network infrastructure that directly benefits national economic development and political stability.
By applying tight controls over its domestic internet to advance its economic, political, and military interests, the approach to what is required shifts from protecting consumers’ data to preventing attacks that threatened party objectives. For China, protecting domestic structures is at the heart of cyber law reform and one can certainly see such a move in the latest pronunciation of Cyber Security Law (CSL).
Contents and implementation
The new law will require domestic and international software companies, network-equipment makers and other technology suppliers to disclose their proprietary source code — the core component and intellectual property running their software — in order to prove that their products cannot be compromised by hackers. Secondly, the government wants firms which operate in “critical” areas to store any personal information or important data that they gather in China, within China’s borders.
On a fundamental level, the law’s definition of ‘critical’ is rather vague and expansive, but it is clear that it would apply to commonly accepted areas such as ICT services, energy, transport, water resources and finance. The latter of these new requirements can be seen as rather strenuous on smaller companies, particularly those in the social media sphere.
What it targets
Critical information could include both personal and business information and data, yet there is an exception identified in the law, that data localisation is not necessary for information where “due to business requirements it is truly necessary to provide [data] outside the mainland.” However, to be able to take advantage of such an exception, firms must undergo a State Council investigation and oversight process, the specifics of which are currently unknown.
The new CSL targets operators of Critical Information Infrastructures (CIIs) and network operators, both of which currently lack substantial definitions within the law. One can argue that, with only three months to go, firms are left with little time to adapt, amend and put out new features to comply with Chinese regulations. Failure to adhere to the new laws can result in penalties including fines.
What it means for companies
Key provisions can cause concern for tech companies, particularly those of a Western persuasion. An example given is CIIs, such as messaging or communication services being restricted to providing access to their service only if a user registers with their real identities. As a result, anonymity is directly attacked.
The initial reception of these regulations was negative, especially from multinational corporations like Microsoft and Apple, which typically rely on daily cross-border flows of business data. This is compounded by the worry that the law will not only require additional expenses in regards to new investments but additionally increase the risk of data theft. Further, companies will be required to obtain security certifications for important network equipment and software.
Foreign firms expressed a fear that this might be used to pressure them into turning over security keys. This would hit Western firms the hardest, potentially even barring them from China’s still growing market. Such a worry was highlighted by Michael Clauss, Germany’s ambassador to China, who expressed that the new “security rules might be used to pursue other aims” including industrial policies favouring Chinese companies.
From a cyber security perspective, China appears to have adopted a shelter mentality, concerned more with domestic protectionism than actively reassuring cyber defences and rooting out cyber criminals, a position that lends itself poorly to cross-border cooperative security operations and efforts, weakening China’s ability to defend itself in the long-run.
The main issues
The vagueness and currently inadequate information surrounding the processes will make it difficult for firms to create a compliance strategy in time for the launch date. Faced with diametric options of complying or risking exclusion from China, firms will be hard pushed to educate themselves on the legal provisions, while also facing pressure from investors and stakeholders.
Furthermore, such a law could stifle innovation. The law would pressure foreign firms to comply or risk exclusion. If firms do not comply, then their access to a large market could be prevented. Consequently, this can be seen as “a new and unwelcome development which increases the cost and risk of doing business in China.”
Conclusion
For one, the near requirement of duplicate facilities in China for foreign companies to conduct business will certainly dissuade further investment — particularly if firms are wary of being asked to provide ‘back doors’ to the data — harming China’s path to further global integration. Certainly, there is no easy path, simply comply or do not conduct business in China.
Firms will be weighing up the two options for the coming months, being more likely to opt in as the emerging Chinese market is not one to be missed out on, especially considering the more mature, stagnant, Western markets.
However, this does create the opportunity for national substitutes to rise and the placement of domestic champions, like Lenovo and Huawei, to eclipse foreign competition in the emerging market. All eyes will be on the government providing updates to the specifics of the legislation as the law is implemented. One thing that is for certain: while this does put pressure on foreign firms and tightens control of the internet, consumer protection, particularly Chinese consumers, is extended.
Liam Lambert is a Durham University law graduate who is now studying in China. This post was one of the standout entries we received for the BARBRI International Cyber Crime Blogging Prize.
Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We'd be grateful if you could keep your comments constructive.