Will China’s revised cybersecurity rules put foreign firms at risk of losing their secrets?
As the clock ticks down to the latest update to China’s cybersecurity regulations on December 1, foreign firms are becoming increasingly concerned about how the changes might affect their operations.
Beijing has set its sights on becoming a technology powerhouse and to achieve that knows it must also develop a defensive structure capable of protecting its manufacturers, researchers and developers from cyberattacks.
As such, the new regulations, which operate alongside China’s cybersecurity law enacted in 2017, lay out precise instructions on how public and private sector companies and organisations – both Chinese and foreign – must secure their networks.
For foreign firms that could mean switching to Chinese equipment, adapting international strategies and exposing their systems to Beijing’s inspectors.
“No other country in the world does this, so it’s unknown how this will work,” said Jim Fitzsimmons, a Singapore-based director of the cyber consulting team at Control Risks, who has been helping multinational companies on the Chinese mainland adapt to the regulations.
“Cybersecurity is not very good in China,” he said. “A lot of information is bought, stolen and traded, so the government wanted to tighten that up.”
But the “pretty unique approach” Beijing had taken to solving the problem was unlike anything multinationals were accustomed to, as in most countries there were no such cybersecurity requirements, except for sensitive industries like defence, financial services and healthcare, he said.
Under the new rules, all companies that operate a network must tell the government how sensitive the data they handle is, and what strategies and government-approved infrastructure they use to protect it from cyberattack.
As the regulations are administered by the Ministry of Public Security, police teams and their affiliated agencies will have the authority to ask companies to provide documentary evidence to support their claims or even plug directly into their networks to verify them.
While it remains to be seen how intrusive or frequent such inspections might be, Samm Sacks, a cybersecurity policy and China digital economy fellow at the Washington think tank New America, said the multilevel protection scheme was not an “obscure compliance development” that applied only to tech companies.
Rather, when taken alongside Beijing’s other policies, the regulations were part of a government drive to significantly boost its ability to monitor companies across all industries, she said.
“We’re seeing a trend where the Chinese government is putting in place new tools that make it much more difficult for foreign and domestic companies to keep their information private.”
Sacks said the move was also part of a broader national security push, as Beijing sought to address “genuine concerns” as “hi-tech [becomes] an engine of growth for the economy”.
“The Chinese government is moving rapidly to put in place exactly the kinds of protections that we in the US are concerned about on our side with supply chain security and data protection,” she said.
But China’s scheme, which enabled “invasive audits and inspections” that could expose source codes or other proprietary information differed in scope from any US policy, she said.
Under the new rules, companies are ranked in terms of the type of information they could lose in the event of a cyberattack.
Topping the list are critical infrastructure companies – such as energy and telecoms firms, banks and internet providers – but other businesses that process large amounts of sensitive or personal data, including healthcare, research, retail and manufacturing, could also be given a high ranking.
The regulatory requirements for high-ranked companies range from having a clear cybersecurity strategy and monitoring mechanism to running background checks on selected employees.
Yan Luo, a partner at Covington law firm in Beijing, said many of the requirements were “not that out of the global norm”, and unlikely to be a challenge for firms that already had “robust cybersecurity programmes”.
But some companies were still concerned as to how the new rules might affect their use of services and applications hosted outside the country, as their infrastructure “is connected in such a complex manner that it’s hard to say what systems are inside China”, she said.
“This is a big concern for most of the multinationals we work with.”
Because of that complexity, and the requirement to have only Beijing-approved infrastructure and networks, some companies fear they will have no choice but to switch to Chinese servers and service providers, observers say.
Fitzsimmons said he was working with firms to make them aware that “if you are using a certain cloud service today, it might not be acceptable tomorrow if it’s not considered licensed by the Chinese government”.
“So it could be blocked, and then you’re left without access to what’s a very important business application,” he said.
But others say the more pressing concerns are those regarding privacy, as companies deemed to be handling highly sensitive data may be subject to higher levels of monitoring, including inspections from cyber police, or even remote or back-door access to their networks further down the line.
“This requires firms, especially foreign firms, to carefully consider what data is going through their Chinese servers,” said Joshua Bunnell, a former chief marketing officer at nihub Innovation Centre, which supports early-stage foreign tech start-ups in China.
That might involve companies “refraining from pouring in any outside data into their Chinese offices” or even extracting local data that can be legally moved for analysis outside China to keep it private, he said.