Login: China // Password: Cybersecurity

In the past, owning natural resources became a competitive advantage. In the present, upholding big data is becoming the most valuable resource for states. China recognizes the power of big data as it continues to rise as an emerging hegemon. Although China has increased its defensive systems militarily as well as economically, one of its more hidden powers lies within cybersecurity, or establishing a growing cyber regime within the Chinese economy. President Xi Jinping plans to increase cybersecurity due to the rising importance of nationalizing data sovereignty, a new form of self-governance required to regulate information intelligence. With 802 million active internet users in December 2019, as well as 94.8% of Chinese SMEs and foreign firms being equipped with computers (Fei), creating laws to monitor the security of information became a necessity for China to facilitate the spread of new data. However, this can be seen as a double-edged sword. To local firms, cyber laws can help prohibit malicious attacks, as 3,513 local websites were hacked in 2009, with 80% of cyber attacks diagnosed as coming from overseas (Fei). Another benefit for local firms was more efficient risk assessment due to the fast- paced nature of foreign technology, allowing them to evaluate what systems work well as they lack private sector experience. To international firms, nevertheless, this inhibits the free flow of information and harms positive relations between the US and China. Thus, the balance between cybersecurity and data privacy between multiple stakeholders is a complicated ethical dilemma the Chinese government has been facing, as they have experimented with enacting laws to help balance out the conflicting incentives of local as well as foreign stakeholders. To fully understand cybersecurity in China, we must breakdown the nature of the law enacted, the reasons China is imposing the law, and the implications of the law on multiple stakeholders. Although the cybersecurity laws carried out by the CAC (Cyberspace Administration of China) are comprehensive, appealing to local companies, the preventive measures being taken are based on paranoia and indirectly cause harm towards foreign stakeholders bringing in resources necessary for Chinese economic growth.

The Cybersecurity Law On June 1, 2017, Xi Jinping implemented the China Internet Security Law to increase cybersecurity measures. The law was voted in by the National People's Congress, centralizing around spot checks conducted on varying networks. The proposals focused on five aspects: personal information protection, security requirements for network operators, critical information infrastructure, restrictions on the transfer of personal information (and management of sensitive data) as well as penalties to crimes against the security law, potentially totaling to 1,000,000 RMB (KPMG). These laws aimed to focus on protecting information by identifying leak risks, classifying data breaches, and maintaining optimal efficiency within their systems. Along with the cybersecurity laws, China's target is to enforce the "3-5-2" rule in 2020. The rule outlines China's ambitious goal to replace 30% of external hardware in the first year (2020), 50% in the second year (2021), and 20% by 2022 (Wheatley). The security laws and 3-5-2 policy were primarily designed to give local firms a competitive advantage and create a "purge of Western software.” Designated policies were also created to safeguard sovereignty. Further funds from government expenditure allocated towards developing these policies were used for research and development purposes to help develop new operating systems. Two of the quantitative measures to evaluate these laws (that fall under security requirements for network operators) to determine the overall risk of a cyber breach are the scoring system and the tiered Multi-Level Protection Scheme (MLPS). To maintain controllable products and services, the CAC previously utilized the scoring system to analyze CPUs, operating systems, office suites, and general-purpose computing hardware. As part of the assessment process, suppliers were required to submit source code for approval (Sacks and Li). Officials would score the source code with varying Chinese cyber-experts based on due diligence conducted. After the scoring systems were published towards firms, they had the choice of making the information public or private. If the data was made public, consumers may choose to utilize this knowledge to purchase from that firm. The scoring system was created to help firms operate using optimal source code and cross-check outside sources. Receiving a low score could cause judicial measures towards firm executives. Nevertheless, the system has caused backlash due to it being highly subjective and vague. One of the specific clauses examines "the amount of enterprise market credibility and reputation,” (Sacks and Li) which does not provide a clear definition towards the amount of credibility satisfactory for a passing score. Thus, the MLPS 2.0 system was created to revise vague interpretations of the scoring system. Updates to the document include implementing security self-assessments at least once a year on MLPS procedures before submitting filings. Within the self-assessments, firms must include early detection methods and post-incident resolution of a cyber attack. Firms must also make information public to increase awareness for consumers. The grading confirmation system was also revised as a matrix table was generated to determine the magnitude of the impact on different types of cyberattacks (business availability, property losses) and ways the company will protect itself. Penalties were also greater defined as breaches level 3 or above (damage of information system resulting in serious harm to the public interest) will be fined and submitted to the SEMB (State Encryption Management Bureau) for review. The usage of the comprehensive MLPS system removes biases, allowing evaluations to be more objective within the early stage and fully developed corporations.

Reasons for Implementation China aims to rebuild its cybersecurity systems to retaliate from US cyber-theft accusations. One of these more recent allegations includes stolen intellectual property, as US companies such as Exxon Mobil and Marathon Oil were said to be victims of corporate espionage. Both Exxon and Marathon claimed data was stolen after conducting business with local Chinese firms. To combat the accusations on US IP's, President Trump imposed stringent tariffs and sanctions to prevent the Chinese from stealing national intelligence. A recent controversy is the banning of Huawei's 5G networks from entering the US due to claims of IP theft, which has hurt both US semiconductor firms like Qualcomm and software providers such as Microsoft. Huawei, owning 16% of the world semiconductor chip market, is a byproduct of China's belt and road initiative to develop high-tech products (Li). Its fast-paced technology and IMEI (International Mobile Equipment Identity) keeps track of the owner's personal information. The usage of the IMEI causes further accusations that the Chinese are stealing from foreign consumers, as it breaches aspects of privacy and human rights violations. The prohibition of Huawei in the US has not only hurt US firms, but also Huawei itself. The US thus wants China to commit to cracking down on IP theft through sources like Huawei. Local governments have agreed with the US, claiming that strengthening IPR protection within cyber laws is extremely important for China to be an international competitor. Thus, the CAC chose to raise penalties through stricter cybersecurity laws to not violate intellectual property rights. A second reason China aims to emphasize its cyber laws is to further develop its dominance in the artificial intelligence market. Because China is still heavily dependent on global value chains, it aims to focus on internal development before dominating as a market leader. China utilizes cybersecurity laws as a shield to restrict the flow of foreign information while developing their technology. In the electric vehicle space, China has already increased its mobile battery power from 30% to 40%, allowing them to overtake the progress of Japanese batteries (McKinsey). However, China is still dependent on global technology. For electric vehicles, the Chinese's batteries are still 40% behind on efficiency in comparison to US EV's such as Tesla. This behavior is replicated in the semiconductor industry, as domestic production has only seen moderate progress, lagging behind its counterparts in market share. Jinping aims to expand the domestic supply of semiconductors to $305 billion in 2030, aiming to build an efficient supply chain, as the US only takes 1-2 weeks to make a semiconductor versus a 6-8 week process in China (McKinsey). Therefore, the cybersecurity laws were targeted to cultivate greater productivity within the domestic industry. Xi Jinping aims to increase domestic demand through increased consumption of EV's and semiconductors from 33% in 2016 to 80% in 2030 to foster healthy local competition within SOE’s (Wheatley). The usage of cyber laws has helped China's goals of intellectual property regulation as well as stimulate greater research and development in the AI space.

Effect on foreign stakeholders and local consumers To emphasize on the tighter control of IP laws and harvesting a safe space for AI research, the government decided to administer the MLPS system on local Chinese consumers. The Chinese government imposed strict sanctions such as the blocking of VPN, or virtual private networks as a part of protecting personal information. VPN had already been enforced previously, with the CAC inhibiting the Chinese to go on primarily westernized sites. The Great Firewall, which was established in the early 2010s, had already helped Chinese governments modify search terms and terminology through black holes (removing IP addresses), DNS spoofing (banning domain names), and URL filtering (Yuen). However, it was emphasized once again in the cybersecurity law, as it shut down 1.8 million accounts with unregistered usernames. This helped filter out fake social networking profiles and searches in pornography and violence. URL filtering specifically is used to help mitigate weakening infrastructure, usually prone to cyber attacks such as backdoors. It was discovered in a survey by the Chinese security team that 2,016 IP addresses in the US had implemented backdoors in 1,754 Chinese websites, which had already had 57,000 backdoor attacks (Yuen). The CAC also set off MITM (Man In The Middle) attacks, which is a malicious internet assault to monitor online behavior and control communications through that specific channel. These attacks have been made on varying websites such as but not limited to Google, Yahoo, Microsoft, Apple iCloud, and more. Banking portals were also effected as in November 2018, Chinese Internet users experienced problems connecting to HSBC's e-banking website, as it had been attacked by MITM due to cyber authorities regulating the system. The CAC had detected a different domain within encrypted logins and shut down the banking portal for a few days, which affected Chinese people that owned HSBC accounts and caused commerce to suffer. In December, the cyberspace authorities did the same thing to Gmail as they had third-party services connected to the service that had not complied with domestic regulations, causing a dramatic plunge in Google traffic. The CAC further implemented administrative authority by creating offices within provinces in China to conduct internet conferences to also discuss the crackdown on VPN and the spread of private information. The regulation of VPN through cyber laws affects consumers, as they are unable to trust reliable sources required for their daily lives, fearing they will be blocked off or shut down. The Human Rights Watch labels this as an invasion of digital privacy, as local consumers are unable to access iCloud usernames and spread information without feeling surveyed or their viewpoints being threatened.

Along with local consumers, foreign firms are also affected due to China's over- dependance on international technology, one of the impending threats in the cybersecurity debate. China is the world's second-largest spender on research and development. With $293 billion being invested in 2018 (McKinsey). China is still is reliant on imported technology's intellectual property. China aims to tighten its critical information infrastructure by decreasing the influence of foreign corporations. Multi-national corporations in China face two central difficulties: first, the pressure to submit their private source code and invasive audits to the CAC. Second, they are faced with significant compliance burdens: or the increased demand to redesign their products or change business practices to comply with Chinese laws. The compliance burden causes firms to create two versions of their ICT products, one which is compatible with Chinese firms and one for the rest of the world. To allow for more public opinion, the Chinese government created the TC260 (National Information Security Technical Community) (Sacks and Li). Despite the community inviting foreign participants to help draft China's cybersecurity standards, their influence remains limited as local companies have a more significant voice within the conference. One particular list administered ruing the conference — the procurement list — outlines software that local companies are prohibited from using in fear of digital surveillance and cyber hacking. Softwares on the list include Apple's iCloud, Facebook iMessaging, IBM, Salesforce, and Google Analytics. MNC's such as Apple have thus opened data centers in Beijing and Shanghai and erased backdoors, making their information vulnerable to the CAC. Despite Apple and IBM's compliance, China still requires a local partner such as Guizhou to be responsible for running its data center, as well as added CCTV surveillance. Thus, these corporations face substantial R&D costs as they are sacrificing their product design and confidential information as well as facing national security reviews to comply with Chinese laws. Other companies, such as Facebook and Google, have responded negatively, stating the cyber laws are militant as well as protectionist. Because of this, however, they have lost sales and market share in the Chinese technology space. CEOs are therefore worried the new law is a Trojan Horse for the Chinese government to promote aggressive protectionist policies. The cybersecurity laws cause foreign corporations to choose between losing money adhering to strict policies by redesigning products or losing a valuable consumer segment. China itself slows down its innovation as local companies continue to struggle to grow without the usage of western software, creating a zero-sum game for both Chinese and foreign corporations by creating a less competitive marketplace.

Similar to MNC's, cybersecurity laws negatively impact technology transfer in China. With 14.4 billion RMB being spent on foreign direct investment in 2018 towards ICT's in Chinese companies, China is heavily dependent on these funds to grow local businesses (O’Connor). Nevertheless, venture capital investments have declined from 2015 to 2017 due to rigid laws prohibiting capital flows to enter China primarily affecting US-China reciprocity. The US has spent a lot of venture capital money on firms like Baidu, Alibaba and Tencent, with offices being established in the west coast. In turn, Chinese investors have also poured capital into US-based startups such as Magic Leap and, most notably, a 250 million dollar investment into Lyft from Alibaba (O’Connor). Due to the enforcement of the MLPS, the CAC has set regulations upon the Committee on Foreign Investment in the US (CFIUS), the bureau that regulates investment flows. One of these adjustments was the requirement of detailed financial statements ratified by Chinese CPA's to show where funds would be allocated in local companies. Similarly, Chinese funds entering the US were faced with heavy taxes, causing a decreased amount of investment flowing into the US. These regulations hindered venture capital investment due to foreign investors’ fear of acquiring market share within Chinese companies due to a lack of trust. The increase in paranoia has caused broken deals, as one US firm, Volley Labs which had been frequently receiving Chinese capital in 2017 started declining offers due to concerns by the CAC and CFIUS (O’Connor). Declining venture capital investment strains pre- established business ties between Chinese and American firms. Because data localization is another one of the biggest priorities for the Chinese government, foreign entrepreneurs in China are also struggling to attain licensing requirements for patents. It is difficult for entrepreneurs to formulate a detailed breakdown analysis required when providing information about the product. The lack of trust with technology transfer caused the OECD to rank China as the 3rd most restrictive market for foreign investors and businessmen in 2017. In a 2019 business survey by the American Chamber of Commerce in China, 35% of survey respondents actually cited licensing requirements as a top challenge of conducting business operations in China (Wagner). A lot of this is due to the importance of disclosing sensitive information regarding the company's future. With the increasing cyber restrictions on venture capital investment and licensing rights, foreign investment is now turning into a scarce resource for Chinese firms seeking to fund their companies for research and development.

Foreign NGOs are also struggling to operate in compliance with cybersecurity laws as they require approvals before commencing operations. In 2016, the Chinese government ratified an international NGO management law in conjunction with the cybersecurity law to promote exchange and cooperation, which prohibited Chinese firms and educational institutions from doing business with NGOs before approval (Iasiello). One organization feeling the adverse effects of the regulations is GreatFire.org, which monitors blocked websites for businesses and consumer groups. GreatFire is a non-profit that helps firms circumvent The Great Firewall by allowing firms to access westernized cloud computing. Charlie Smith, the CEO, stated, "GreatFire's strategy would collapse if foreign businesses hosted all data in China, authorities would cut off access to foreign internet," which would affect information flow (Bloomberg). In addition, governments began requiring foreign NGO's to apply for a "temporary activities" permit lasting one year through the public security department, and similar to venture capital investments, provide full transparency in financial statements. The law was also enacted due to the fear foreign NGOs would interfere with the legal system and cause political opposition against Xi Jinping's regime. Western governments say the temporary activities law has undermined the work performed by NGO’s. Moreover, these rules have deemed NGOs as criminals and limited their operating ability, causing 40% of foreign NGOs to shut down at the end of 2019 (Isaiello). This has also caused concern due to its impact on Chinese civil society due to the law disallowing Chinese individuals from committing political activities and expressing public opinion through passionate causes. Therefore, it can be seen that the rise of cyber laws have caused great unreliability with VPN servers, lack of trust with technology transfer and additional costs in modifying western products for to comply with Chinese standards. Effect on local companies With Huawei being one out of four types of Chinese government enterprises Xi Jinping aims to grow, local Chinese firms have been seen to reap economic benefits from the cybersecurity laws. Xi Jinping announced the four enterprises during the NPC conference to create smart cities within China The first type involves forming the base of the ICT sector, utilizing Huawei and ZTE corporation through the development of 5G networks, the other being e-commerce companies like Alibaba and Tencent, the third being consumer products such as Xiaomi and the fourth being financial enterprises (Li). The Chinese government has attempted to market using local products and services, as they are trying to show their legitimacy. To foster domestic growth, local companies have an easier time bypassing verifications as they face looser scoring systems. Domestic firms also have the option not to sacrifice their source code, providing them a vast competitive advantage unlike the MNC's and foreign technology. The laws have garnered support from domestic educational experts such as Li Yuxiao, a professor studying internet regulation at Beijing University. Yuxiao said, "secure information systems are integral to protecting domestic operating systems, lowering information asymmetry over foreign products." (Yin). Jinping states that this management can help boost the domestic tech sector and localize data, as well as protect intellectual property conceived by Chinese corporations (Yin). Cybersecurity laws thus positively benefit these companies as they have an easier time gaining higher scores as they use primarily Chinese algorithms. Another explanation of increasing cybersecurity laws is to increase regional trade exposure towards technology transfer from local Asian states such as Korea and Japan, strengthening relations between the Asian-Pacific (APAC) region. China aims to increase domestic production within the Asian tigers to build trust within local partners. China aims to make supply chains within the area, as they are the largest trading partner for Malaysia, Singapore, and the Philippines, with 11% of their domestic exports and production being geared towards these states (Rechtschaffen). Building domestic trust is beneficial as China is then able to expand semiconductor exports, as well as share strategical information to strengthen regional trade. Similarly, China wants to focus on increasing infrastructure, stimulating productivity spending on Laos, Cambodia, and other developing economies by providing foreign aid as a part of the belt and road initiative. Politically, this helps boost conversation between China and other trade partners. Through allowing access to information and knowledge by loosening cyber laws on local companies, China can increase productivity in developing Asian countries by lowering exposure with developed economies.

Possible solutions China must amend vague statements in its CAC to mitigate the challenges it is facing with balancing local interests with foreign corporations. An example the Chinese government can emulate is the EU’s implementation on cyber laws and general data protection monitoring document (GDPR), which is a more comprehensive form of regulations. Because of its clear structure and transparency, companies understand that the laws must be followed to continue operation. Aside from legal clarity, China must provide clear communication channels for foreign corporations to adhere to and provide the capability for firms to voice concerns when they build new infrastructure. The CAC must provide opportunities for corporations such as Apple, who want to be responsive towards Chinese policies to ask clarifying questions to modify their products and services. Providing legal clarity coupled with clear communication channels will significantly benefit service industries that serve the greater good such as NGOs. In addition to greater communication, the current system of anonymizing data also poses a risk to varying businesses. It creates a compliance nightmare for service-related companies, as they are unable to comprehend which specific laws to follow. For example, it is difficult for a medical-related company to understand what type of patient data is confidential and must be reported back tot he CAC, and which data can remain private. Thus, data warehouses and access to resources must be made available through a subsidiary monitored by the CAC to regulate information and conduct scheduled, not sporadic, MITM checks. Financial statements from technology transfer must, however, continue to be monitored to understand where funds are being allocated, especially in terms of strengthening intellectual property laws within the domestic industries. In terms of encouraging local growth, China needs to continue to strengthen regional ties to help technologically oriented industries that require cooperation. With these rules in place, greater participation will be ensured, and operational excellence will be guaranteed.

Conclusion Although China's cybersecurity laws at first glance attempt to control the flow of information and rebuild infrastructure, there is a danger other developing countries will model this behavior through beggar-thy-neighbor policies. Its important to recognize that implementing these laws has helped China revise its IPR’s, as well as increase domestic production in artificial intelligence and local companies. However, a world with a lack of digital privacy and heightened cybersecurity on foreign corporations and VPN servers could lead to countries being somewhat isolationist, which could disrupt friendly trade and cause strained political relations between states due to a lack of trust. This increases anarchical behavior and further conflict. Therefore, although China has fostered the growth of local companies through its new laws, there is a more significant indirect effect that destabilizes regional and international stakeholders. China's behavior on cybersecurity has rewritten the definition of what it means to be a secure, cyber- sovereign state. In the future, China must continue to be more open-minded in moving the conversation forward on cybersecurity as well as work with their already established relations to propel impactful change.

Sources

Bloomberg. “Foreign Firms Grapple with China's 'Punitive' Cybersecurity Laws.” South China Morning Post, 20 July 2018, www.scmp.com/news/china/economy/article/2095595/ foreign-firms-grapple-chinas-punitive-cybersecurity-laws.

Fei, Gao. China's Cybersecurity Challenges and Foreign Policy. Georgetown Journal of International Affairs, International Engagement on Cyber: Establishing International Norms and Improved Cybersecurity Pp. 185-190, JSTOR, 2011.

Iasiello, Emilio. China’s cyber initiatives counter International Pressure. Journal of Strategic Security, Vol. 10 No. 1 (Spring 2017) pp. 1-16, JSTOR, 2017.

KPMG. “MLPS 2.0 Insights and Strategies”. KPMG, May 2019.

Li, Olivia. “Former Employee Discloses Huawei's True Power.” Www.theepochtimes.com, 16 Dec. 2019,

McKinsey. “China and the World: Inside the Dynamics of a Changing Relationship .” McKinsey Global Institute , July 2019.

O'Connor, Sean. “How Chinese Companies Facilitate Technology Transfer from the United States.” US-China Economic and Security Review Comission, 6 May 2019.

Rechtschaffen , Daniel. “Why China’s Data Regulations Are a Compliance Nightmare for Companies.” The Diplomat, 27 June 2019.

Sacks, Samm, and Li, Manyi. “How Chinese Cybersecurity Standards Impact Doing Business In China.” How Chinese Cybersecurity Standards Impact Doing Business In China | Center for Strategic and International Studies, 2 Aug. 2018, www.csis.org/analysis/how-chinese- cybersecurity-standards-impact-doing-business-china.

Wagner, Daniel. “What China’s Cybersecurity Law says about the Future”. International Policy Digest. 13 May 2019.

Wheatley , Mike. “China Orders Government Agencies to Replace All Foreign Computer Equipment within 3 Years.” SiliconANGLE, 11 Dec. 2019.

Yuen, Samson. “Becoming a Cyber Power: China's Cybersecurity Upgrade and Its Consequences.” China Perspectives, No. 2 (102) (2015), Pp. 53-58, JSTOR, 2015.

Yin, Cao. “Cybersecurity threat could cause damage beyond imagination.” China Daily, 06 December, 2017