CFR Presents

Net Politics

CFR experts investigate the impact of information and communication technologies on security, privacy, and international affairs.

Print Print Cite Cite
Style: MLA APA Chicago Close


What to Do About China’s New Cybersecurity Regulations?

by Adam Segal
February 2, 2015

Great Hall Net Politics Cyber CFR Adam Segal Xi Jingping The Great Hall of the People in Beijing on March 14, 2013, when Xi Jingping became China's president. (Jason Lee/Reuters).


The China Digital Times has a very good overview of Beijing’s assertion of “Internet sovereignty” at every level, from “international norms and Internet traffic down to software and the hardware it runs on.”

The most recent effort was widely reported last week. China is circulating new cybersecurity regulations for companies in the banking sector and there is concern that the regulations will be expanded to other critical sectors of the economy. Foreign technology companies that supply Chinese banks may be required to turn over source code, submit to invasive audits, and build back doors into hardware and software. According to the New York Times, 75 percent of technology products to be used by banks must be classified as “secure and controllable” by 2019. China ultimately aims to create a “cybersecurity review regime” to assess all Internet and information technology products across the economy.

The Chinese government has promoted these types of policies before. The “Multi-Level Protection Scheme” was introduced in 2007 by the Ministry of Public Security and prohibited non-Chinese companies from supplying the core products used by the government and banking, transportation, and other critical infrastructure companies. Under the 2010 “Compulsory Certification for Information Security Scheme” foreign companies wishing to sell to the Chinese government were required to reveal intellectual property for security products.

But this time looks different. While the previous policies were pushed by specific ministries and a limited number of officials, the current effort appears to come from the top—from the Central Leading Group for Cyberspace Affairs, which is chaired by President Xi Jinping. In addition, banks and other sectors often chose not to comply with the regulations. They made economic and technological arguments that swapping out foreign products for domestic competitors was too expensive and would affect the reliability of their systems. With the new regulations, companies have been told they cannot opt out.

So what is to be done? There is some history to draw on. In December 2003, Beijing announced that WLAN Authentication and Privacy Infrastructure, or WAPI, would be the mandatory standard for any wireless product sold in China. The Chinese standard essentially came out of nowhere, mandated by a government agency without consultation with private companies. In addition, Beijing’s decision not to share an algorithm included in WAPI due to “national security concerns” would have forced foreign companies to cooperate with one of twenty-four Chinese vendors licensed to develop the standard, which was likely to result in technology transfer to the Chinese companies.

U.S. companies like Intel and Broadcom announced they would not adhere to the standard and would stop selling their wireless chips in the Chinese market. In March 2004, the Bush administration sent China a letter about WAPI, signed by Secretary of State Colin Powell, Commerce Secretary Don Evans, and U.S. Trade Representative Robert Zoellick. Arguing that regulations compelling technology transfer were incompatible with China’s trade commitments, the letter implicitly threatened to pursue the case at the World Trade Organization. The Chinese government backed down, agreeing to revise the standard after input from foreign companies.

The WAPI incident suggests three components of a successful strategy that altered China’s approach. First, it was public. It was not the behind-closed-doors effort, sensitive to issues of “face” approach that is so often suggested in negotiations with Beijing. Second, the strategy was unified. There were no defections from companies involved in the Chinese market, and the private sector and the U.S. government applied pressure in tandem. The EU and Japan did the same. Third, the strategy threatened real consequences—a boycott of the Chinese market and a WTO case.

The campaign against the current cybersecurity regulations has just started and getting all of the actors on the same page will be critical. There has already been a public response. The U.S. Chamber of Commerce, the American Chamber of Commerce in China, the Information Technology Industry Council and the Telecommunications Industry Association and fourteen other business associations sent a letter to Xi Jinping and the leadership of the Central Leading Group for Cyberspace Affairs, arguing that the technological innovation needed to protect against bad actors could only be achieved by “through commitment to an open market and global trade.”A joint letter from the U.S. government, or some other official protest may be in the works and should come soon. If the Chinese press reports about Apple agreeing to security inspections are true, building a united front among the companies may already be impossible.

All three of the components are necessary to roll back the regulations but they may not be sufficient. The fact that the regulations come from the central leading group, and that they seem to reflect an ideologically driven effort to control cyberspace at all levels, make it less likely that Beijing will back down. Even if Beijing does step back in this case, there is a need to address the underlying suspicion. Given the security concerns the U.S. government has with Huawei and other Chinese technology companies, Beijing and Washington have an interest in developing transparent global standards for inspecting and sourcing technology products. Unfortunately for the technology companies, the two sides look farther apart than ever.

Post a Comment 2 Comments

  • Posted by Theodore H. Moran

    US IT companies and senior policymakers are viewing Chinese cyber security policy proposals with alarm, in particular requirements that foreign hardware and software providers share their source codes, submit to intrusive audits, and build backdoors into their product that allow Chinese surveillance.

    But US IT regulations include many of these same requirements.

    The Communications Assistance for Law Enforcement Act (CALEA) requires all IT companies operating in the US to build backdoors into their equipment and software to permit the FBI and NSA to conduct round-the-clock surveillance. CALEA also forces IT companies to turn over to the US government any encryption keys customers think are protecting them.

    Fearing loss of sales for obeying US government directives, Apple announced a new corporate privacy policy in the fall of 2014, in which its latest mobile operating system, iOS8, is designed so as to prevent Apple—or anyone but the device’s owner—from accessing content on the device, even if the company is served by a legitimate warrant. Google quickly followed suit for its Android operating system. The NSA and FBI have harshly criticized these moves.

    On February 4, 2015, J. Michael Daniel (cyber security coordinator at the US National Security Council, Ambassador Robert Holleyman (Deputy Trade Representative at USTR), and Alex Niejelow (Chief of Staff of US IPR Enforcement within the Executive Office of the President) issued an open letter calling on the US and China to “work together” on a common approach to cyber security. In this endeavor, both sides will have to address the real tensions between privacy and surveillance that neither side can ignore. Can we live in a world in which Chinese regulations for IT companies mirror our own?

    Theodore H. Moran
    Marcus Wallenberg Professor of International Business and Finance
    Georgetown University

  • Posted by Theodore H. Moran


    Would you like me to do a guest post about legal intercept regulations and the difficulty of constructing an international agreement?


    ted moran

Post a Comment

CFR seeks to foster civil and informed discussion of foreign policy issues. Opinions expressed on CFR blogs are solely those of the author or commenter, not of CFR, which takes no institutional positions. All comments must abide by CFR's guidelines and will be moderated prior to posting.

* Required