Threat Intelligence Blog

Posted February 14, 2018

As data breaches and hacking incidents continue to increase, more and more nations are seeking to protect their critical information from an attack. As a result, the industry has seen an uptick in regulations from foreign governments. The laws can safeguard information, as well as help countries define their role in the cybersecurity space. Yet, clearly, such legislation will significantly impact companies that do business in these regions.

China’s Cybersecurity Law stands out as a prominent example, one that boosts the government’s powers to impede and/or greatly regulate the dissemination of information. Among other directives, the legislation requires organizations to store data collected within China on Chinese territory, and comply with China’s security checks on their network operations.

On a strategic level, this legislation is in line with the country’s stance on sovereignty, asserting state rights to regulate its portions of the larger cyber space domain. However, from a business perspective, there are concerns that the law’s broad scope and general ambiguity will allow the government to wield its authority selectively.

Currently, the regulation affects three specific classifications of entities: critical information infrastructure operators (CIIOs), network operators (NOs) and providers of network equipment and cybersecurity products. Unfortunately, China has not yet defined what exactly CIIOs and NOs are. This could potentially mean that any organization – including international organizations in China – that operates computer systems and networks would be considered a “network operator.”

Critics of the law see this as a way to tighten control on civil society while making unreasonable demands on businesses, granting authority to monitor any foreign company’s operations within its borders under the pretense of ensuring information security. The U.S. perceives that such authority conflicts with China’s responsibilities under the General Agreement on Trade in Services (GATS), a 1995 agreement that created international trade rules for the services sector. In essence, the law allows the government to effectively circumvent GATS commitments, according to the critics.

While China’s Cybersecurity Law is specific to businesses operating in China, the implementation of cyber laws by a government entity could have greater implications in the future.  In this case, some corporations may face immense costs: They could be forced to change their businesses models or risk steep penalties. They might need to purchase new technologies and/or pay for additional security assessments. Other potential implications include:

  • Software companies, network equipment makers, and other technology suppliers will be required to reveal their source code in order to prove that their software isn’t hackable. Understandably, impacted organizations fear that source code could be provided to nefarious actors and/or rival companies.
  • Domestic firms can leverage the provisions to target foreign IT companies and promote indigenous production, supporting Beijing’s Made in China 2025 plan, which calls for an increase in domestic components in the advanced IT and robotics sectors. Additionally, the law could serve the interests of protectionist product development proponents at the expense of countries that rely on competition to bolster their economic interests.
  • Multinational companies will not be able to transmit and/or store data collected in China out of the jurisdiction (without proof of cause and government agreement) and thus will have to find alternative ways of operating without breaching the law.
  • The fact that the regulation requires information produced in China to remain in China can make conditions difficult for foreign vendors, particularly of tech equipment, considering that all network equipment must meet Chinese government approval prior to being sold domestically.

What’s more, the law could potentially influence other countries to enact like-minded legislation as a counterbalance, from an economic protectionist perspective. The European Union has been quiet with regards to any criticism – perhaps because its own General Data Protection Regulation (GDPR) contains similar provisions with respect to data transfer?

It remains to be seen if China will alter or soften its position. But for now, the law empowers the government to exert influence on companies, encouraging them to fall in line with its objectives and goals, penalizing those that do not meet its vision. From a global economic perspective, such authority could prove stifling, halting the forward motion of international innovation.

Additional Posts

Weekly Threat Intelligence Brief: February 14, 2018

This weekly brief highlights the latest threat intelligence news to provide insight into the latest ...