China’s Cybersecurity Future and its Impact on U.S. Business

Zhonghua Renmin Gongheguo Gong'an Bu 中华人民共和国公安部 [The Ministry of Public Security of the People’s Republic of China], Wangluo Anquan Jibie Baohu Tiaoli (网络安全级别保护条例) [Multi-level Protection of Information Security] (June 27, 2018) (China).

China is implementing its newest cybersecurity standards (“MLPS 2.0”) on December 1, which will require companies to make their networks transparent to Chinese government agencies and to install government-approved network equipment. Under the new rules, all companies operating in China must report their cybersecurity strategies to the Chinese Ministry of Public Security and allow that agency to monitor their secure networks. All internet service providers (“ISPs”) and mobile data providers must require new users to provide facial scans to receive access to their services, greatly increasing the government’s control over personal data. The China Law Blog explains that under the cybersecurity law, the Chinese government has the authority to obtain any information from any person or entity that it deems a threat to national security or the public interest. In an increasingly digital age, China appears to be ramping up its cybersecurity measures in order to protect its own national and public security interests.

The original Multi-Level Protection System (“MLPS”) cybersecurity program was originally launched in 2006 as a way for China to protect its digital infrastructure. In 2017, the Chinese government implemented stricter regulations that allowed agencies to more directly monitor corporate networks. When a data breach would pose a national security threat, the government would step in and monitor the network. MLPS 2.0 shifts regulations to encompass every corporation that operates in China, including American and multinational entities. Under the previous cybersecurity rules, the Chinese government would need to approach U.S. companies to obtain access to their data. MLPS 2.0 allows the government to access all data at any time without permission.

MLPS 2.0 drastically increases the capability of the Chinese government to monitor its networks and has many implications for both Chinese and multinational businesses. Samm Sacks, a New America cybersecurity fellow, notes that “we’re seeing a trend where the Chinese government is putting in place new tools that make it much more difficult for foreign and domestic companies to keep their information private.” Chinese businesses may hesitate to import foreign equipment due to the hurdles created by the new government approval process. U.S. businesses are growing increasingly concerned about the impact these cybersecurity mandates will have on their development in Chinese markets. Tech manufacturers such as Cisco, IBM, and Dell would be acutely affected by the proposed standards. Other industries such as the financial services, energy, telecommunications, and automobile industries could be heavily impacted as well. Companies fear the policies are too vague and would allow the Chinese government to be privy to trade secrets without strict enforcement guidelines.

Conducting business in China could become even more difficult for foreign corporations due to these data privacy concerns. Because of the new policy mandating use of government approved equipment, many multinational companies fear having to switch to Chinese networks and service providers. The risk of intellectual property theft looms over U.S. and other foreign businesses as well. U.S. businesses are also concerned about restrictions that may affect the transfer of personal information deemed a national security risk. As a result, the costs and risks associated with doing business in China will likely increase.

Politics could play an even greater role in the Chinese markets following the implementation of MLPS 2.0. Policy experts claim the U.S. actions against Huawei may lead to supply-chain disruption in China due to “politics, diplomacy and trade.” The ultimate impact on U.S. and multinational corporations is largely still to be determined. What is clear, however, is that the Chinese government will play a much larger role in improving its cybersecurity systems.