Monday, June 19, 2017

U.S. Corporate Concerns with China’s New Cybersecurity Law

On 1 June 2017, the Chinese government put an extensive new Cybersecurity law into effect. This law applies to all network operations in China, by Chinese citizens and foreign business operations alike. Many U.S. corporations operating in China have expressed concerns about how this law will impact their ability to operate under the more intrusive Chinese government control. The provisions with the potential for the greatest negative impact on foreign firms include:
  • Definition of network operators. The scope of the Cybersecurity Law provides control over not just telecom operators and internet firms but also banking institutions, insurance companies, securities companies, providers of cybersecurity products and services, and essentially any enterprise with a website in China or that provides network services. The American Chamber of Commerce in China has said the Law “will impact almost every company that operates in China.”
  • Requirements for “critical information infrastructure” operators. The Law defines these to include “public communications and information services, energy, finance, transportation, water conservation, public services, e-governance,” and other enterprises that could harm national security or the economy if damaged. Foreign corporations included in this category now face restrictions on equipment and services they can use, and they are vulnerable to inspection and intrusion by the Chinese government.
  • Restrictions on sending data outside China. The Law states that “personal information and other important data from operations within the PRC shall be stored within mainland China.” Business information and data on Chinese citizens cannot be transferred abroad without permission, and that would be contingent on intrusive “security assessments” by the Chinese government. Some U.S. analysis suggests that this could also prohibit the export of economic, technological, or scientific data considered to “pose a threat to national security or the public interest.”
The situation for foreign firms is uncertain at present because details on the scope of the Law and how it will be enforced are still unavailable. The initial impression among U.S. businesses is that the potential for intrusion and interruption is certainly considerable.

Wapack Labs has cataloged and reported extensively on China's cybersecurity in the past. An archive of related reporting can be found in the Red Sky Alliance portal.