By Cheng Lim and Jack Maher. Cheng Lim leads the cyber security initiative at King & Wood Mallesons. Last year Jack Maher completed a Master of Chinese Law at Tsinghua University while working in the firm's Bejing office.
Cyber security attracted plenty of attention during Chinese President Xi Jinping's recent state visit to the US.
The US and China agreed that neither country's government would conduct or support cyber-attacks with the intent of providing competitive advantages to companies or commercial sectors. This commitment follows increased attention by China at home to the rules governing what it views as its own cyberspace, with the release of a draft cyber security law in July.
In the draft, China made clear its intent to begin building borders for China's cyberspace, to ensure those already active, or who choose to enter, play by its rules. As Article 1 of the draft law states, the aim is to establish Chinese 'cyberspace sovereignty' (w?ngluò k?ngji?n zh?quán).
Although this was the first time Chinese cyberspace sovereignty appeared in a legislative document, the concept had been referred to (although with less explanation) in official communications by the Party since Xi Jinping's elevation to president.
A white paper on China's internet released by the Chinese Government in 2010 laid the foundation for this concept of cyberspace sovereignty, the core tenant being that Chinese and foreign citizens within Chinese territory have the right and freedom to use the internet so long as they obey the laws of China and protect internet security.
In his piece for the Huffington Post late last year Lu Wei, a fast rising political operator in the Chinese Communist Party and director of China's State Internet Information Office told Western business that foreign internet companies already make significant profits in China and can continue to do so. But Wei, who is likely to be providing guidance on the new cyber security law, warned that 'foreign internet companies can come to China if they abide by the law'. The question for foreign companies is: are they willing to play ball with China's reform agenda?
The draft cyber security law signals that Beijing is preparing to tighten its control over the construction, operation, maintenance and use of information networks in China. Among other things, the law would require network operators in China to have cyber security protocols in place to protect against attacks, ensure the IT products and services they use meet relevant national standards, and take immediate action to respond to identified security flaws. The law would also require that information collected or generated by key information infrastructure facilities that is deemed 'important' or 'critical' by the Chinese Government be stored exclusively within mainland China.
In addition, the draft law requires network operators to delete or prohibit the spread of 'prohibited information' by internet users while also reporting it to the relevant Government department.
The law is drafted to apply to international as well as domestic businesses, and so would directly affect foreign network operators with a presence in China, as well as foreign vendors who may need to have their products certified by the Chinese Government before making them available for sale in China. However, it is difficult to predict precisely the law's potential impact as many critical definitions have been left somewhat vague. For example, the term 'network operator' is broadly defined in a way that would clearly cover telco and network service providers, but could also extend to other information service providers such as search engines, social media sites and e-commerce platforms. And it is unclear what information may be deemed sufficiently important or critical such that it cannot be held offshore.
Some insight was offered prior to the draft being released when the China Banking Regulatory Commission (CBRC) released its own rules requiring banking institutions to use 'secure and controllable technology' for 75% of their infrastructure by 2019. The guidelines required bank IT vendors to establish R&D and service centres in China and also file their source code for operating systems and database software with the CBRC. After the draft rules caused some controversy among foreign companies, and in the wake of feedback from local banks, the Government retreated, asking banks to hold off on implementing the rules. However the CBRC has since alerted large Western technology companies that it would be seeking their opinions on a new version of the bank procurement rules. Although the CBRC jumped the gun with its proposed new rules, when viewed in context with the proposed cyber security laws, they provide insight into how other sectors of the economy will be regulated.
Although many foreign companies will rightly look at these developments apprehensively, the laws could also suggest that China intends to open up segments of its economy which have been closed to foreign investment. In the tech sphere, we saw signs of this earlier this year when wholly foreign-owned companies were permitted to operate e-commerce businesses in the Shanghai Free Trade Zone (SFTZ). In June 2015, the Ministry of Industry and Information Technology announced this reform would be extended nationally. The initial SFTZ announcement coincided with a draft foreign investment law issued by the Ministry of Commerce which seems to limit the use of variable-interest entities which are currently used by foreign companies to circumvent laws restricting investment in prohibited areas of the economy. China’s prohibition of the VIE structure appears to signal its intention to redirect future investment through approved and expanding channels.
Through these efforts China, in a increasingly assertive manner, is gradually establishing sovereignty over cyberspace on its terms.
Photo by Ted S Warren-Pool/Getty Images.