What to Do About China’s New Cybersecurity Regulations?

The China Digital Times has a very good overview of Beijing’s assertion of "Internet sovereignty" at every level, from "international norms and Internet traffic down to software and the hardware it runs on."

The most recent effort was widely reported last week. China is circulating new cybersecurity regulations for companies in the banking sector and there is concern that the regulations will be expanded to other critical sectors of the economy. Foreign technology companies that supply Chinese banks may be required to turn over source code, submit to invasive audits, and build back doors into hardware and software. According to the New York Times, 75 percent of technology products to be used by banks must be classified as “secure and controllable” by 2019. China ultimately aims to create a “cybersecurity review regime” to assess all Internet and information technology products across the economy.

The Chinese government has promoted these types of policies before. The "Multi-Level Protection Scheme" was introduced in 2007 by the Ministry of Public Security and prohibited non-Chinese companies from supplying the core products used by the government and banking, transportation, and other critical infrastructure companies. Under the 2010 "Compulsory Certification for Information Security Scheme" foreign companies wishing to sell to the Chinese government were required to reveal intellectual property for security products.

But this time looks different. While the previous policies were pushed by specific ministries and a limited number of officials, the current effort appears to come from the top—from the Central Leading Group for Cyberspace Affairs, which is chaired by President Xi Jinping. In addition, banks and other sectors often chose not to comply with the regulations. They made economic and technological arguments that swapping out foreign products for domestic competitors was too expensive and would affect the reliability of their systems. With the new regulations, companies have been told they cannot opt out.

So what is to be done? There is some history to draw on. In December 2003, Beijing announced that WLAN Authentication and Privacy Infrastructure, or WAPI, would be the mandatory standard for any wireless product sold in China. The Chinese standard essentially came out of nowhere, mandated by a government agency without consultation with private companies. In addition, Beijing’s decision not to share an algorithm included in WAPI due to “national security concerns” would have forced foreign companies to cooperate with one of twenty-four Chinese vendors licensed to develop the standard, which was likely to result in technology transfer to the Chinese companies.

U.S. companies like Intel and Broadcom announced they would not adhere to the standard and would stop selling their wireless chips in the Chinese market. In March 2004, the Bush administration sent China a letter about WAPI, signed by Secretary of State Colin Powell, Commerce Secretary Don Evans, and U.S. Trade Representative Robert Zoellick. Arguing that regulations compelling technology transfer were incompatible with China’s trade commitments, the letter implicitly threatened to pursue the case at the World Trade Organization. The Chinese government backed down, agreeing to revise the standard after input from foreign companies.

The WAPI incident suggests three components of a successful strategy that altered China’s approach. First, it was public. It was not the behind-closed-doors effort, sensitive to issues of "face" approach that is so often suggested in negotiations with Beijing. Second, the strategy was unified. There were no defections from companies involved in the Chinese market, and the private sector and the U.S. government applied pressure in tandem. The EU and Japan did the same. Third, the strategy threatened real consequences—a boycott of the Chinese market and a WTO case.

The campaign against the current cybersecurity regulations has just started and getting all of the actors on the same page will be critical. There has already been a public response. The U.S. Chamber of Commerce, the American Chamber of Commerce in China, the Information Technology Industry Council and the Telecommunications Industry Association and fourteen other business associations sent a letter to Xi Jinping and the leadership of the Central Leading Group for Cyberspace Affairs, arguing that the technological innovation needed to protect against bad actors could only be achieved by “through commitment to an open market and global trade.”A joint letter from the U.S. government, or some other official protest may be in the works and should come soon. If the Chinese press reports about Apple agreeing to security inspections are true, building a united front among the companies may already be impossible.

All three of the components are necessary to roll back the regulations but they may not be sufficient. The fact that the regulations come from the central leading group, and that they seem to reflect an ideologically driven effort to control cyberspace at all levels, make it less likely that Beijing will back down. Even if Beijing does step back in this case, there is a need to address the underlying suspicion. Given the security concerns the U.S. government has with Huawei and other Chinese technology companies, Beijing and Washington have an interest in developing transparent global standards for inspecting and sourcing technology products. Unfortunately for the technology companies, the two sides look farther apart than ever.