China’s cybersecurity regulations rattle U.S. businesses
New draft rules flesh out an existing law that many already consider draconian
A host of proposed cybersecurity regulations by China are vexing U.S. businesses, who see the rules as new barriers to the Chinese market, and loom as a potential sticking point in coming U.S.-China trade talks.
The new draft rules and standards, released over the past two months with little fanfare, flesh out an existing cybersecurity law that the U.S. and many foreign businesses already consider draconian. Some forbid certain data from leaving China or slow down the process of sending data overseas, increasing uncertainties and costs. Tough procurement rules could also place foreign products at a disadvantage.
If enacted, the measures are likely to hit a swath of American companies, including makers of tech products such as Cisco Systems Inc., International Business Machines Corp., Juniper Networks Inc. and Dell Technologies Inc., as well as those in financial services or the automotive sector that handle data.
U.S. businesses and trade groups say some of the proposals are too vague and give Chinese officials leeway on enforcement. The Cybersecurity Administration of China and the Ministry of Public Security, which are involved in the various drafts, didn’t respond to requests for comment.
The rules don’t only target U.S. companies. They reflect multiple factors shaping China’s cybersecurity landscape, including growing consumer awareness over data privacy and a recent global trend of establishing new data privacy rules, experts say.
The timing suggests Beijing is using them to show Washington it has options to punish U.S. businesses, experts said.
“These are the tools in the arsenal that can be ready to be fired,” said Samm Sacks, a cybersecurity expert at the Washington-based think tank New America.
While the release of these proposals had been expected following the introduction of a new cybersecurity law in 2017, Beijing had seemingly held them in abeyance while talks with the U.S. on ending the tariff fight progressed early this year.
Greater access for American tech companies is a priority for U.S. negotiators, and Chinese officials showed a willingness to discuss issues related to cybersecurity.
Then, after negotiations foundered in May, Beijing started releasing the new draft rules. More followed after Washington placed restrictions on Chinese telecommunications-gear maker Huawei Technologies Co.
President Trump and his Chinese counterpart Xi Jinping last month committed to restarting trade talks, with delegations set to meet this week. The proposed cybersecurity regulations could be a factor in future negotiations, as they would impose restrictions on American business operations and market access.
“China’s resumption of regulatory efforts signal less willingness to bow to U.S. demands in hopes of [a trade] agreement,” said Paul Triolo, head of geotechnology at research firm Eurasia Group.
The Office of the U.S. Trade Representative didn’t immediately respond to a request for comment.
While the cybersecurity law is already in effect, Beijing is still in the process of setting implementation measures. The recently released drafts cover at least eight categories and could be changed.
Of particular concern are the rules requiring cybersecurity reviews. They lay out the steps operators of “critical information infrastructure” must go through to procure network equipment that could influence national security, including a review by an interagency organization.
The draft doesn’t define exactly what a “critical information infrastructure” operator is. China has broadly said they include those with computernetwork operations in telecommunications, energy, transportation, information services and finance, but U.S. trade negotiators are pressing for more details.
It also states that operators must assess risks including the likelihood of supply chain disruption due to “politics, diplomacy and trade”—wording that policy experts say is likely in direct response to U.S. actions against Huawei.
These rules could deter Chinese companies from procuring foreign equipment if they fear these products would be subject to lengthy reviews or even get blocked, said Yan Luo, a Beijing-based attorney focused on cybersecurity policies at Covington & Burling LLP.
Another batch of rules outline steps involving security tests on “critical network equipment.”
The Ministry of Industry and Information Technology, which drafted this set of rules, said it had received feedback from foreign companies—including Cisco, IBM, Juniper, Dell, and Germany’s Siemens AG—that make network equipment such as routers, switches and servers. Any new measures would offer an open and uniform standard and “foreign technologies and products will not be discriminated against,” the ministry said.
A Cisco spokesman said the company is committed to complying with local law. Dell said it advocates for policies that enable an open and secure digital economy. An IBM spokesman said the company is “confident that we can comply with these standards.” A Siemens spokesman said the company advocates “for dialogue between all parties including regulators to strengthen trust between all stakeholders.” Juniper didn’t comment.
U.S. businesses are also concerned about proposed changes that restrict information about individuals that could undermine national security or damage public interest from leaving China and require network operators to undergo a local security review over other personal data.
The combined effect of these new rules would be to increase the cost and risk of doing business in China, said Lester Ross, a Beijing-based attorney and chair of the American Chamber of Commerce in China policy committee.
U.S. businesses and trade groups say some of the proposals are too vague and give Chinese officials leeway on enforcement