[BreachExchange] Why China’s New Cybersecurity Law Is Bad News for Business

Thu Dec 1 19:21:40 EST 2016

http://fortune.com/2016/12/01/china-cybersecurity-law-business/

China’s new cybersecurity law, expected to take effect next June, could
hurt any foreign firm looking to do business in the world’s second-largest
economy. Though the law is intended to fight non-Chinese and Chinese
hackers, it also requires that foreign companies provide China’s government
with potentially sensitive information about network equipment and
software. Given the weaknesses of China’s enforcement of laws around
intellectual property, it’s easy to see how trade secrets can fall into the
hands of Chinese competitors at the expense of the best interests of
foreign firms.

Businesses most at risk will be those with special hardware and systems for
network management, which could well include ATMs. Because new-generation
ATMs have a much higher level of connectivity, they’re more vulnerable to
hacking, which is why they require sophisticated encryption devices and
software to secure transactions. This cybersecurity law thus provides the
government with the legal tool to obtain all such anti-hacking proprietary
security hardware and software, which could then be passed on to relevant
Chinese firms. And having access to the hardware and software means firms
would have access to individuals’ personal banking information, as well.

The new law is also counterproductive because the scope of information that
foreign companies will be required to provide to Chinese officials is
worryingly broad. Complying with this requirement will force U.S. firms to
make expensive investments to build duplicate facilities within China. This
is in total contradiction with the free flow of data, expected to swell in
2020 after the introduction of 5G.

U.S. companies will have to weigh this risk against the opportunity to do
business in China, which has developed a reputation for ‘copying’ without
getting insider access. For international companies, there is no easy way
forward, as the choice is black or white. Either foreign companies will
comply, knowing China has a way to peek into what was previously private,
or they will choose to stand by principles of privacy at the risk of being
excluded from the Chinese market. Despite the challenging dilemma,
companies are likely to comply and give in to China’s demands. The market
is too huge and far too ripe for future growth to be ignored, especially
when compared to more stagnant outlooks in Europe and the U.S.

In addition to creating barriers for international business in China, this
kind of legislative move could stall innovation. It could well be
considered to be part of what is called “indigenous innovation” in China,
which consists of favoring Chinese firms by establishing non-tariff
barriers—such as specific standards or regulations on products—in order to
prevent non-Chinese firms the access to China’s large and dynamic market.
And the impact would be wide-ranging, from consumer electronics to
products, such as equipment to produce renewable energy, including
windmills and solar panels.

Innovation involves a complex process, but it requires a society to be as
open as possible and to allow vibrant exchanges between people. While
cybersecurity is important, this law will wrap around the free market as it
grips security. Within China, entrepreneurs are, by and large, not bothered
by their government’s management of the Internet, called the “great
firewall.” However, this new law is a new step to tighten the government’s
grip on Internet. Furthermore, far from favoring China’s champions in this
very dynamic area, such as Huawei, Lenovo, or Tencent, this law will
handicap them in the long term. Maybe the hope is that these companies
themselves will fight to alter the law and mitigate the negative
implications for China’s Internet landscape.

U.S. companies have already begun to strongly lobby against the law, as
well as China’s position that the Internet must be managed by authorities.
But despite the efforts of any company, American, Chinese, or other, the
cybersecurity law is just a piece of a larger ongoing political puzzle that
companies will have to deal with. In the end, agility will be key for
companies to succeed in the tense political environment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161201/54543df5/attachment.html>