China’s cyber crackdown: A guide for the perplexed

April 24, 2015

The author is a Reuters Breakingviews columnist. The opinions expressed are her own.

China is cracking down on cyber security. Demanding new banking regulations and draft counter-terrorism legislation could make it harder for foreign companies to compete in the People’s Republic. But even though domestic players should benefit, they are far from happy. Breakingviews attempts to crack the code.

What do the new rules say?

China’s banking regulator last year issued a directive stating that three quarters of all information technology used by banks must be “secure and controllable” by 2019. The regulator followed up with a second set of regulations in December last year.

Most controversial is the demand that banks register source code for software, operating systems and databases with the regulator. Other requirements include using only approved encryption technology, filing intellectual property rights in China, and building surveillance “ports” into hardware which allow regulators to access data. Technology companies are also required to set up research and development centres in the country.

At the same time, Beijing is considering counter-terrorism legislation that would require telecom and internet services companies to provide the government with encryption keys and “backdoors” to access traffic and data across networks. They must also store user data within China’s borders. Companies that do not comply will not be allowed to operate in the country.

Though the demands apply to all technology companies, foreign players are concerned about compromising their intellectual property. They are also worried that giving Chinese authorities the tools to access technology would make systems in other parts of the world more vulnerable, and anger other governments.

What is at stake for foreign companies?

Even though China’s economy is slowing, the technology and communications market is large and expanding quickly: IDC expects it to grow by 11 percent this year to $466 billion. While the CBRC guidelines only apply to the banks in the country, other sectors may see similar restrictions.

The short-term costs of complying with the banking restrictions may not be that high. The regulator has for now targeted technologies where domestic companies already dominate. The more onerous demands for disclosing source code and intellectual property may yet be revised. Besides, most large foreign tech companies should already use approved encryption keys and have research and development centres in China.

The draft counter-terrorism law is more troubling. By requiring companies to hand over encryption keys – technology that unlocks protected data – and installing backdoors to allow law enforcement access, the Chinese government is effectively enlisting tech providers to help it enforce domestic security. That leaves foreign firms facing a dilemma: compromise their systems, or leave the market. Some suspect that China’s aim is to push foreign-owned technology out of the country entirely.

Doesn’t China already have some pretty stringent regulations?

It’s true that Chinese rules already favour domestic technology companies. Encryption laws, for example, require the government to approve new products and ban imports of foreign and foreign-developed versions. But these rules have been poorly enforced and are confined to a handful of government ministries.

The proposed new directives are different. President Xi Jinping has lifted cybersecurity up the agenda by personally taking charge of the government group that oversees national information security policy.

The authorities have also made innovation and technology key economic and national priorities. Premier Li Keqiang unveiled an “Internet Plus” plan to national lawmakers in March, according to state media. The plan seeks to boost domestic internet technologies such as cloud computing and big data in manufacturing sectors.

So are these policies motivated by genuine security concerns or protectionism?

Probably a bit of both. The Chinese government’s obsession with security has intensified since Edward Snowden revealed the extent of U.S. cyberspying activities. But the country is also trying to curb its reliance on foreign technology companies and promote local innovation. Homegrown companies like ZTE and Lenovo are increasingly challenging U.S. tech heavyweights such as IBM and Cisco. The latter reported a 19 percent drop in its China revenue in fourth quarter of 2014 compared with the previous year. Tsinghua Unigroup, a company associated with the country’s prestigious university, is now China’s largest domestic chipmaker and aspires to rival Qualcomm of the United States and Taiwan’s MediaTek.

For now, though, the country still overwhelmingly relies on foreign technology. That makes it hard to push overseas groups out entirely.

Are Chinese companies pleased about the new rules?

Actually they’re not. For Chinese banks, the cost of replacing their entire technology infrastructure would be high, even assuming that they can find domestic replacements for hardware and software like Microsoft’s Windows operating system.

Even domestic technology companies are less than enthusiastic. One concern is that China’s approach will prompt other governments to erect greater barriers for Chinese groups. The chief executive of Huawei, the world’s second largest telecom equipment group, recently told Reuters that the new regulations could also hamper competition and innovation by cutting China off from developments in the rest of the world.

So will the Chinese government back down?

Pressure from Washington and business groups may be working. The CBRC has temporarily put its new rules on hold in response to lobbying efforts from financial institutions, Reuters reported on April 17. The U.S. has also requested clarifications on the banking guidelines in a filing with the World Trade Organisation dated March 25. But while foreign countries could argue that China’s cybersecurity policies are a barrier to trade, the WTO does allow exceptions for national security.

Meanwhile, the government is pushing ahead. The group led by Xi is this year expected to establish a national cybersecurity review as well as a vetting and auditing regime for all information and communications technology. This will have far reaching implications for businesses. Foreign technology companies can expect a long uphill battle in China.

No comments so far

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/