International Policy Digest

Business /10 Aug 2020
08.10.20

The Global Implications of China’s National and Cyber Security Laws

The recent implementation of a new national security law in Hong Kong has brought the world’s attention to something that companies operating in China have understood for years. The Chinese government’s 2015 National Security Law states that all information systems in China must be “secure and controllable,” which means that every company operating in China – whether domestic or foreign – is required to give the Chinese government their source code, encryption keys, and backdoor access to their computer networks in China. Hong Kong is just the tip of the iceberg. The Law has had profound implications for any Chinese company operating inside or outside of China, for their joint venture partners, and for foreign companies operating inside China.

In other words, businesses must hand the government the lifeblood of their companies and products, while also giving the CCP a free pass to spy on their networks. The Chinese government has arranged that, in order to do business in China, the information that Chinese agents once had to steal through cyberattacks are now automatically provided for the “privilege” of doing business there. Incredibly, even the largest, best known, and most influential foreign companies that operate in China are doing just that.

A good example is IBM, which became the first major U.S. tech company to agree to the new rules in 2015. IBM began delivering its technical knowledge to Chinese companies that had clearly stated their objective of replacing IBM’s markets in China. The company passed information about how to build its high-end servers and the software that runs the servers to Beijing-based Teamsun, which proudly declared its strategy to “absorb and then innovate,” enabling it to eliminate the capability gap between Chinese and American companies and create products that could replace those sold by companies in the U.S.

That was not the first time IBM had done something similar. In 2014, the company sold its x86 server division to Chinese computer company, Lenovo. The $2.1 billion sale included the x86 BladeCenter HT servers used in some critical U.S. Navy systems, including its Aegis Combat System, which controlled the Navy‘s ballistic missile and air defense systems. When a business with products used in critical government and military networks reveals its code to another government, it becomes a national security issue.

The U.S. Navy was subsequently forced to identify and purchase new servers, concerned that Chinese government agents could remotely access the systems by compromising routine maintenance. A vulnerability on Lenovo computers was subsequently discovered, which took advantage of the Lenovo System Update, leaving the door open for hackers. The servers were used by Navy assets, including its guided-missile cruiser and destroyer fleets, and ballistic missile and anti-air defenses.

In 2015, Hewlett-Packard (HP) sold more than half of its networking and server operations to China, whose restrictions on foreign technology vendors pushed its banks, military, and major companies to stop buying foreign technology. HP gave up control of its then $4.5 billion business to remain in the Chinese market, selling 51% of its networking and server operations in the country to an arm of Beijing’s Tsinghua University. Presumably, the only reason HP was being allowed to remain at the time was because the Chinese government had not yet acquired what it perceived to be all of HP’s intellectual and material capital. That was 5 years ago. Multiply these examples exponentially and you begin to understand the implications of the National Security Law.

In 2017, China’s first Cybersecurity Law was enacted, which significantly increased compliance costs for multinationals, leaving them vulnerable to industrial espionage, and ultimately giving some Chinese companies an unfair advantage. While some aspects of the Law were welcomed as a milestone in much-needed data privacy, it also had the effect of helping Beijing steal trade secrets and intellectual property from foreign companies. The Law is both extremely vague and exceptionally wide in scope, potentially putting companies at risk of regulatory enforcement that is not related to cybersecurity.
Among its key provisions are that:

  • All companies must undertake a security assessment before moving data out of China if it contains the personal information of more than half a million users or data is “likely to affect national security or social public interests.” That means that a ridesharing or food delivery service could, therefore, be labeled a national security risk;
  • “Critical infrastructure” companies must store “personal information and other important data” collected in China inside the country; and
  • “Important network products and services” must undergo a “national security review” before being sold in China (which is so vague that it could mean anything).

The Law is part of a drive-by Beijing to shield Chinese data from the eyes of foreign governments. Under it, companies must introduce data protection measures—a novelty for many Chinese businesses—and data relating to the country’s citizens or national security must be held on Chinese servers. Companies must submit to a review by regulators before transferring large amounts of personal data abroad. “Critical” companies—whose designation encompasses sensitive entities such as power companies or banks, but also any company holding data that, if breached, could “harm people’s livelihoods”―must store all data collected in China within the country. These companies, and any services bought by them, must go through a “national security review” to ensure they and their data systems are “secure and controllable.”

The Law allows Beijing to demand access to computer program source code (usually known only by the software developer) and national security reviews may also permit China to delve even further into companies’ intellectual property. In conventional democracies, laws limit what companies may do with information and the extent to which governments can get their hands on it. China’s National Security and Cybersecurity Laws give the government unrestricted access to almost all personal and commercial data. The largest Chinese companies that hold data (such as Alibaba, Baidu, and Tencent) routinely obey government demands to access data.

The rest of the world’s companies and governments have to assume that any firm that is Chinese, operates in China, has access to Chinese citizens, whose information passes through China, or for which the Chinese government deems information relevant to national security is subject to these Laws, and that the government will do whatever is necessary to obtain the information they possess. That means that Huawei or any other firms that are owned or operated by Chinese private of public sector companies, or are otherwise answerable to Beijing, fall under the Laws’ guidelines from the government’s perspective.

It is time for the world’s governments and companies to wake up. Beijing’s reach is wide and deep. It is taking advantage of the West’s openness – and gaps and inconsistencies in our data protection protocols – to acquire information on all of us. The hacks on Anthem, Equifax, Marriott, and the U.S. government are good examples of how they have already done so. American and Western companies need to take a hard look at the costs and benefits associated with operating in China and continuing to have Chinese partners. Those partners must comply with these Laws. American and Western companies that continue to operate with them may unwittingly well be aiding and abetting the Chinese government.

This article was originally posted in Diplomatic Courier.