[BreachExchange] China adopts a tough cyber-security law

[Audrey McNeil]

http://www.economist.com/news/china/21710001-foreign-firms-
are-worried-china-adopts-tough-cyber-security-law?zid=
317&ah=8a47fc455a449455801


“THIS is a step backwards for innovation in China that won’t do much to
improve security.” Those damning words from James Zimmerman, chairman of
the American Chamber of Commerce in China, describe his view of a sweeping
new cyber-security law adopted on November 7th. Many foreign businesspeople
agree with his dim assessment.

Though ostensibly designed to strengthen local networks against malicious
hackers, in fact the bill looks very much like a techno-nationalist Trojan
horse. The law affects both domestic and foreign firms operating on the
Chinese mainland and covers a wide range of activity relating to use of the
internet and information and communications technologies (ICT). It will not
come into force until June next year, so it is not yet clear how the rules
will be implemented.

Even so, several of them seem problematic. First, the government wants
firms operating in “critical” areas to store inside China any personal
information or important data that they gather in-country. But the law’s
definition of critical is absurdly expansive. It includes ICT services,
energy, transport, water resources, finance and e-government.

This is a headache for multinationals, which typically rely on cross-border
flows of business data. Firms worry that the law will not only require
expensive new investments but also increase the risk of data theft. Another
thorny provision requires companies to get security certifications for
important network equipment and software. Foreign firms fear this might be
used to force them to turn over security keys and proprietary technologies,
which could be passed on to state-owned rivals.

Michael Clauss, Germany’s ambassador to China, worries that “security rules
might be used to pursue other aims” such as industrial policy favouring
Chinese companies. He is not the only one. Chinese media note with
enthusiasm that provisions requiring the use of internet products and
services that are “secure and trusted” (whatever that means) are likely to
favour Chinese hardware firms like Lenovo and Huawei and local
cloud-computing providers such as Alibaba and Tencent.

Ironically, the overweening law may end up doing the opposite of what is
intended. Because threats to networks are increasingly transnational,
taking a bunker mentality could make it harder for China to prevent
attacks. Mark Austen, head of the Asia Securities Industry and Financial
Markets Association, believes the new rules are flawed because they do not
encourage cross-border co-operation.

If Chinese officials reject such talk as the mere bleating of foreigners,
they should at least listen to Eric Xu. More than a year ago he warned: “If
we’re not open, if we don’t bring in the world’s best technology, we’ll
never have true information security.” That eloquent rejection of
techno-nationalism came from a man who is co-chief executive of Huawei.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161111/397fd74f/attachment.html>