China’s New Cybersecurity Law Rattles Foreign Tech Firms
BEIJING—China’s government has approved a broad new cybersecurity law aimed at tightening and centralizing state control over information flows and technology equipment, raising concerns among foreign companies operating in the country.
The law, passed by the standing committee of China’s rubber-stamp parliament and made public on Monday, says agencies and enterprises must improve their ability to defend against network intrusions while demanding security reviews for equipment and data in strategic sectors. The law also makes censorship a matter of cybersecurity, threatening to punish companies that allow unapproved information to circulate online.
It further requires network operators to provide “technical support” to authorities for national security and criminal investigations.
The law drew criticism from foreign business groups due to the expansive list of sectors that are defined as part of China’s “critical information infrastructure,” making sectors including telecommunications, energy, transportation, information services and finance subject to security checks. China’s lawmakers described the law as necessary to bolster its data security at a time of multiplying threats.
A spokesman for the Cybersecurity Administration of China at a press conference Monday dismissed concerns among foreign companies that Chinese demands for “secure and reliable” or “secure and controllable” technologies could exclude their products.
“Whenever we bring up secure and reliable…some of our friends, especially our foreign friends, their heads swell up. They see it as synonymous with trade barriers,” said Zhao Zeliang, the CAC spokesman. “This is a misunderstanding, a biased view.”
China, often accused of supporting cyberattacks on other countries while also depicting itself as a frequent victim of hacking, has moved aggressively to bolster cybersecurity since Chinese President Xi Jinping came to power four years ago. Efforts accelerated in 2013, when former U.S. National Security Agency contractor Edward Snowden described extensive U.S. government hacking of Chinese networks. The government was rattled again the following year, when Microsoft Corp. decided to end support for Windows XP, aging software that was widely installed in China.
“These issues confronted China quite violently with the reality that they were reliant on foreign technology,” said Rogier Creemers, an expert in Chinese internet and media law at the University of Leiden, in the Netherlands.
The security reviews stipulated in the new law revive concerns among U.S. companies that they will be forced to disclose their source code and other corporate secrets to the Chinese government to prove their equipment is secure, said Jake Parker, vice president of China operations for the U.S.-China Business Council, a trade group representing U.S. companies in China.
“We’ve heard from companies that they feel these policies cite national security for protectionist purposes,” Mr. Parker said.
The cybersecurity law doesn’t specify what the security reviews will entail. The idea of requiring source-code disclosure was floated in drafts of several Chinese regulations last year, then was removed after strenuous protest from the U.S. and other countries.
Jared Ragland, the senior director of policy for Asia at trade group BSA (also known as the Software Alliance), said the requirement for firms involved in critical infrastructure to store their data in China could have a major impact on foreign companies. Those firms wouldn’t be able to move the data overseas without applying to the government for permission.
Mr. Ragland said some companies would need to change their business model to keep operating in China, while others would face higher costs.
Many provisions of the law codify existing practices, including that the government can restrict internet access “in certain regions” in the event of an emergency and that network operators should demand users register with their real names.
Other provisions in the law promote the training of cybersecurity experts, restrict the use of individuals’ personal data and empower the government to punish organizations or individuals who hack into China’s critical infrastructure, including by freezing their assets.
“This is about how the internet might harm the Chinese state in the broadest sense possible,” said the University of Leiden’s Mr. Creemers.
The law is the latest in a series of major statutes adopted under President Xi Jinping to gird against security threats as China enters an age of slower economic growth and greater political uncertainty.
The law was spearheaded by the CAC, a new agency set up by Mr. Xi in early 2014 to consolidate control over cybersecurity and other internet-related issues. The push for a unified approach has exposed tensions between security agencies and those in the government tasked with realizing China’s ambitions of becoming a leading technology innovator, according to analysts and industry insiders.
Although the law gives the CAC power to coordinate China’s cybersecurity efforts, there are still likely to be turf battles as security forces push to have a hand in areas like the setting of security standards, according to Adam Segal, an expert on China and cybersecurity at the Council on Foreign Relations.
“They’re not going to give up their authority without a fight,” he said.