China’s New Cybersecurity Law Worries Foreign Firms

China’s New Cybersecurity Law Worries Foreign Firms

Beijing has passed a new cybersecurity law which critics have claimed will worsen censorship and surveillance inside the country and could even force some foreign companies out of China.

The Cybersecurity Law was passed by China’s largely ceremonial ‘parliament’ the National People’s Congress on Monday.

Although many of the rules stipulated are already in place, it formalizes them for the first time and sends an uncompromising message to businesses and Chinese citizens.

“Elevating these powers in the Cybersecurity Law sends a signal that the government may enforce the requirements more strictly, leaving less leeway for tech companies to avoid implementation,” said Human Rights Watch in a blog post.

“While many states are debating cybersecurity legislation, China’s law should be viewed within a legal framework where threats to ‘information security’ are defined broadly enough to include sharing information that diverges from official narratives, and where ‘preserving internet sovereignty’ is the overarching goal.”

To these ends, the law requires firms in various industries to censor any banned content and enforce real name registration for various services, including hugely popular instant messaging platforms.

It also requires “critical information infrastructure operators” to store the personal info of users and any other important business data inside China. The scope of this data has been reduced to include only that related to China operations, but it remains undefined, as does the range of firms/sectors that it will apply to.

Any of them wanting to transfer data outside the country must jump through the extra hoop of a security assessment.

Firms must also monitor and report any “network security incidents” to the government and provide “technical support” to help in investigations, as well as retain network logs for at least six months.

While many of the requirements sound like good security practice, there’s always a concern that they and previous laws introduced by the Xi regime could be used to justify the vetting of source code by the authorities, or require tech companies to backdoor products, for example.

If they don’t, the argument goes, they could be chucked out of the country – a claim denied by a spokesman for the Cybersecurity Administration of China at a press conference on Monday, according to reports.

However, there’s no doubt that after the Edward Snowden revelations of NSA spying on Chinese networks Beijing has a valid reason for bolstering cybersecurity, despite many seeing it as a cover for protectionism.

Experts told the WSJ that the new law would at the very least force some firms to change their business model and lead to extra costs.

However, others blamed foreign tech companies like LinkedIn, Apple and Microsoft for not pushing back enough against Beijing earlier.

“Foreign companies should stop their sulking over this law,” Charlie Smith, co-founder of anti-censorship body, told Infosecurity. “They made their bed. If these companies had not acquiesced so often to the requests of the authorities in the past, maybe the law would not be so harsh."

Source: Information Security Magazine