8 Ways China’s New Cybersecurity Law is Bad News For Businesses
Over the last several years China has made it difficult for foreign companies, specifically tech giants like Google, Microsoft, Facebook, and Twitter, to enter its market. However, as reported in Bloomberg Technology, China has “green-lit a sweeping and controversial law that may grant Beijing unprecedented access to foreign companies’ technology and hamstring their operations in the world’s second-largest economy.”
The Cyber Security Law, which was passed by China’s top legislature, “The Standing Committee of the National People’s Congress,” will take effect in June 1, 2017. While leaders in China have stated that this was an “objective need” of China as a major internet power, it’s sparked several concerns among foreign businesses and rights groups on how China will now dictate how companies can operate in their country.
1. Impacts the bottom line.
Under the new cybersecurity law, businesses will become highly scrutinized. For instance, as Jonathan Vanian points out in Fortune, since outside tech companies are permitted to hold Chinese data outside of the country, they most “aid the Chinese government when it conducts criminal investigations or issues that officials believe could compromise national security. These companies will also have to allow for annual audits to determine if there are potential security concerns for the Chinese government.”
“As for hardware manufacturers, it should come as no surprise that the proposed law calls for network equipment — like switches and routers — to be approved by the Chinese government before being sold domestically,” Vanian continues.
“China has made public its concerns that the United State’s National Security Agency was installing so-called backdoors within Cisco’s hardware for the purpose of spying, and as a result the country has made it much more difficult for foreign hardware companies to do business inside China.”
The result? Cisco, as well as companies like Hewlett Packard, “have seen their sales in China suffer as the country scrutinizes imported hardware.”
2. Businesses are spending millions to comply.
To prevent being from scrutinized, companies have been spending millions of dollars in China to build relationships with China in order to improve sales. Cisco will invest “$10 billion in the country to rebuild relationships and perhaps manufacture more gear inside the country,” Bloomberg Technology mentioned in June 2015 — and really, that money may not even help them attain their goals. Cisco also said (and signed-up to do it) they’d help 100 colleges in China with advanced training. Did anyone count how many students would attend the classes in each of these 100 colleges?
Then we have HP whom “sold off 51 percent of its server and networking business in China to Tsinghua Holdings,” (which affiliates with Tsinghua University), in May 2015. HP, formed the “h3c hp” in China and garnered a deal by selling the majority stake in its servers/technology assets and the storage contained therein for $2.3 billion.
Microsoft, (who has also pledged billions in China) had so many pirated copies of Windows in China, that for business reasons, they have now “given” everyone with a computer — Windows 10 for free — including the freebies to all the pirated users. (So, piracy really does pay!) Dell, and Qualcomm whom have invested in establishing joint partnerships with local businesses have also contributed much as well as promises for more money and technology investments.
Companies like these may be able to spend millions of dollars to build those relationships, but for startups and small businesses who don’t have the funds, it could be almost impossible for them to enter the Chinese market. In other situations, some businesses may even have to change their entire business model in order to comply with the sweeping Chinese laws.
3. Cooperation carries no guarantees.
Even if you’re businesses spends the time and resources to work with China’s new cybersecurity laws, there still aren’t any guarantees that everything will run smoothly. As Bruce Einhorn writes in Bloomberg Businessweek, after “Chinese authorities raided the Microsoft offices as part of an investigation into alleged price fixing, Microsoft has worked hard to keep the government happy.” The company has since worked with “state-owned China Electronics to customize Windows for Chinese users” and has “given up on pushing its search engine, Bing, in China, instead making Beijing-based Baidu its Windows search default in the country.” Even prior to meeting with President Obama, President Xi Jinping met with Bill Gates.
“None of that has resolved the company’s China troubles,” says Einhorn. “On January 5, 2016, China’s State Administration for Industry and Commerce announced a further probe of alleged Microsoft violations of antimonopoly law.”
4. Could place companies under state control.
Corporations and human rights advocates are also concerned that the new law is too restrictive. The Human Rights Watch states the new law will:
- Require businesses to censor “prohibited” information and restrict online anonymity.
- Require “critical information infrastructure operators” to store users’ “personal information and other important business data” in China.
- Require companies to monitor and report to the government undefined “network security incidents,” along with providing undefined “technical support” to the Chinese security agencies to aid in investigations.
- Provide a legal basis for potentially large-scale network shutdowns to respond to “major [public] security incidents.”
“The law will effectively put China’s Internet companies, and hundreds of millions of Internet users, under greater state control,” says Sophie Richardson, Human Rights Watch’s China director.
5. Collects and stores too much user data.
Many organizations are concerned about the above-mentioned Article 35 which states, “Personal information and other important business data gathered or produced by critical information infrastructure operators during operations within the mainland territory of the People’s Republic of China, shall store it within mainland China.”
Josh Horowitz notes in Quartz that this “is generally interpreted to mean that foreign companies must keep servers for Chinese users located within the country’s borders.” Some companies, such as Airbnb, have already complied and have relocated its Chinese user data base to a domestic location.
Here’s what’s most concerning, however. The “law does not specify what is meant by, “other important business data” (product performance data? Payment data?).” By being forced to keep more data inside of China overseas companies are not just spending more money, it “also heightens the risk that the government [Chinese government] will snoop on it [the information that is gathered].”
6. Doesn’t improve security.
“In terms of improving security, this law is at best a missed opportunity, and some of the measures seem to emphasize protectionism rather than security,” wrote James Zimmerman, chairman of the American Chamber of Commerce in China.
According to an article in the Wall Street Journal by Josh Chin and Eva Dou, this is because many organizations believe that they “will be forced to disclose their source code and other corporate secrets to the Chinese government to prove their equipment is secure.” A feeling that many companies have voiced.
Jake Parker, vice president of China operations for the U.S.-China Business Council, told the WSJ, “We’ve heard from companies that they feel these policies cite national security for protectionist purposes.”
In a world where security is a top concern for both businesses and customers, it’s easy to understand why companies would be hesitant to share valuable information to a foreign country. Especially when the “cybersecurity law doesn’t specify what the security reviews will entail.”
Parker adds, that by “putting barriers on foreign technology will undermine China’s goal of a safer and more secure system.”
7. Too vague and ambiguous.
Following the 2008 economic crisis, governing bodies have emphasized to businesses the importance of complying to new regulations, which has given rise to the RegTech industry. Even with these technological advances, it’s difficult to comply to these regulations when, in the words of Zimmerman, these provisions are “vague, ambiguous, and subject to broad interpretation by regulatory authorities.”
For businesses entering the global marketplace to succeed and avoid penalties, governments and regulators must be on the same page when it comes to compliance and security. That’s an issue when a major market like China doesn’t have crystal clear regulations for organizations to follow. As Horowitz concludes, “its lack of clarity ultimately leaves foreign companies without a proper roadmap for how to abide by the law — which in effect serves as a ‘no trespassing’ sign to overseas businesses.
8. Impairs trade and innovation.
“Cross-border data flow has become increasingly important to trade and to companies in the way they operate every day.” said U.S. Deputy Secretary of Commerce Bruce Andrews. Zimmerman adds, “the more difficult it is for data to travel across the Chinese border, the more difficult it will be for companies inside those borders to innovate, and China risks becoming isolated technologically from the rest of the world.”
In other words, the new cybersecurity law will make it a challenge for businesses to enter China, which will limit global trade and restrict new innovative businesses from emerging in China.
The laws may also pose a threat to the companies themselves if they decide to pull out of China. What happens to the information that has been held inside the company? Will the cybersecurity laws force companies that leave China to also leave their gathered information left inside of China?