“There is no national security without cybersecurity,” declared President Xi Jinping at the inaugural meeting of the Central Leading Group for Cybersecurity and Informatization in February 2014. His words acted as the starter’s gun for a cyberspace regulation marathon in China. Since then, Chinese authorities have tightened the state’s control over all things cyber: from social media and online publishing to IT business models and cloud data centers. The Chinese state is becoming ever more assertive in censoring the Internet, fighting cybercrime and proclaiming its Internet governance model in international forums.
Naturally, this assertive and proactive approach in cyberspace affects a multitude of actors, from netizens over enterprises to domestic state agencies. Among those affected, foreign enterprises have so far been among the loudest critics. This is understandable given that compliance will sometimes require implementing critical and costly technical changes regarding how data is stored, encrypted and shared.
Looking at the sometimes abstract and vague cyberspace regulations issued to date, we can make out four concrete challenges for foreign businesses operating in China. First, the Cybersecurity Law obliges companies selling hardware and software solutions to so-called critical infrastructure operators to pass a state-administered cybersecurity review. The law classifies the following areas as critical: communication infrastructure, energy, transport, water supply, finance, public utilities and e-government services. The law also mentions unspecified areas that might affect “national security,” the “citizens’ well-being” or “public interest.” Such vague language could allow authorities to arbitrarily classify more and more areas as “critical.”
The vetting requirement applies to all products that deal with digital data: from text processing applications over routers to cars with embedded systems. Thereby, foreign IT will be placed under special scrutiny. This, China feels, is particularly justified after the Snowden revelations of deliberate security loopholes (or backdoors) that enable state-sponsored hacking. Newly released WikiLeaks documents on the CIA’s policy of exploiting software vulnerabilities must have confirmed Chinese distrust of foreign technology.
Unfortunately, there are few details available on the vetting process itself. The Cyberspace Administration of China announced on February 4 that the yet-to-be-established Commission for Examining Internet Security will be charged with running those cybersecurity reviews. It is unclear how far the review process will go and whether, for example, foreign companies must reveal software source code.
Second, the data localization requirement is another headache for foreign companies. The cybersecurity law stipulates that data, such as user data, collected by critical infrastructure operators must be stored within China’s borders. Foreign businesses are concerned that this requirement will increase the risk of industrial espionage and intellectual property theft. Also, the costs of relocating data centers to China is another factor to be considered. However, the Cybersecurity Law allows for exceptions. It is still unclear under which circumstances exceptions to the localization requirement would be granted.
Third, the Counterterrorism Law requires companies, if asked by state authorities, to hand over data of terror suspects. This provision could prove to be highly problematic. Companies using so-called end-to-end encryption, for example, would not be able to comply since they do not have the technical ability to pry into the encrypted data of their customers. Chinese laws do not provide for any exceptions here. Last year, the FBI took Apple to court after the company had refused to unlock the iPhone of one of the San Bernardino terrorists. The case was subsequently dropped after the authorities managed to gain access to the device without Apple’s help. Should a similar case arise in China, we can fairly expect the Chinese authorities to be less lenient toward uncooperative IT companies.
Fourth, the “Administrative Rules for the Commercial Use of Encryption” stipulate that companies are only permitted to use state-approved encryption technologies. The import of secure routers, firewalls, and encryption software must be authorized by the Office of State Commercial Cryptography Administration (OSCCA). This regulation strictly limits the import and sale of foreign encryption products in China. Given the heightening levels of cyberspace controls, we can expect the Chinese authorities to be more rigorous in enforcing this regulation that they have been in the past.