The Chinese government has introduced new cybersecurity laws which make it difficult for foreign businesses to keep information private. Lawyers that specialise in cybersecurity are investigating how companies can protect sensitive data.
Beijing’s Cybersecurity Multi-level Protection Scheme 2.0 comes into effect on December 1, 2019. The new laws hand Chinese authorities the power to access all business data of foreign companies with business interests in China. Experts say China is restricting business opportunities for foreign companies. Others are concerned China is expanding its espionage program.
The official explanation is that China’s plan is to develop a defensive cyber structure that will protect its banks, manufacturers, researchers and developers from cyberattacks.
Essentially, anyone operating in China or investing in Chinese certain products, whether public or private, have no option other than to allow Beijing’s Cybersecurity Bureau access to their data.
The new laws cover every form of digital activity including cloud servers and telecommunications providers. Chinese politician, Guo Qiquan, who was involved in drafting the new regulations, said:
“It will cover every district, every ministry, every business and other institution, basically covering the whole society. It will also cover all targets that need cybersecurity protection, including all networks, information systems, cloud platforms, the internet of things, control systems, big data and mobile internet.”
From 1 December, internet service providers and mobile data providers operating under China’s cybersecurity laws must request facial recognition scans of customers that subscribe for their services. This ensures that every new cell phone assigned in China will be subject to data retrieval.
Global firms are concerned about how the new cybersecurity laws will affect their operations. For example, if cloud hosting services have any association with China, it may be licensed by the Chinese government and could be blocked. This could leave millions of foreign businesses without access to important business applications.
The only option for providers to continue operations without any disruptions to their clients servers is to convert to Chinese networks and allow Beijing’s inspectors to access business data. This includes proprietary business secrets.
Under the new rules, companies that operate within Chinese networks must inform the Cybersecurity Bureau what data they handle. Companies are also obliged to demonstrate which government-approved infrastructure and strategies they use to protect sensitive data from cyberattacks.
The Ministry of Public Security police teams have the authority to request companies to provide documentary evidence that supports their claims. In some circumstances, the new laws given China’s Cybersecurity Bureau the power to directly access business networks to verify the information they have been given is correct.
China’s Cybersecurity Problem
It’s well known that China has a huge problem with cybersecurity. A lot of information is bought, stolen and traded by cybercriminals and the government want to eradicate fraudulent deals.
However, some cybersecurity industry professional sees an ulterior motive. Experts say China’s new regulations enable them to conduct “invasive audits and inspections” that could expose source codes or other proprietary information.
Naturally, there is a concern that the government’s goals are to acquire a totality of data for the purpose of surveillance and control, and not for commercial transparency.
Samm Sacks, a cybersecurity policy and China digital economy consultant in Washington DC said:
“We’re seeing a trend where the Chinese government is putting in place new tools that make it much more difficult for foreign and domestic companies to keep their information private.”
Regardless of the intentions of the Chinese government, the new cybersecurity laws are a concern for international businesses and their customers.
Foreign firms are being advised to consult lawyers specialising in cybersecurity laws that will be able to offer advice about how much data companies have to reveal and how you can protect sensitive data.