Last month, China’s legislature passed the Cybersecurity Law, which is due to take effect next summer. The controversial law has received a number of criticisms from technology companies, Western government officials, and human rights advocates. The Cipher Brief spoke with Adam Segal, Director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations, about what this new law hopes to accomplish and why it has drawn so much criticism.
The Cipher Brief: Could you explain China’s new cybersecurity law and the stated rationale behind it?
Adam Segal: In November, China’s National People’s Congress adopted a new cybersecurity law, which is set to come into effect in June 2017. The law’s stated rationale is to “ensure cybersecurity, to preserve cyberspace sovereignty, national security and societal public interest, to protect the lawful rights and interests of citizens, legal persons and other organizations.” In other words, the law is meant to improve the defense and resilience of Chinese networks and to ensure the Communist Party’s continued control over cyberspace.
The law contains provisions on the protection of personal information; development of cybersecurity standards and emergency response plans; definition of legal responsibility and sanctions for violations; and promotion of cybersecurity education and public awareness. Interestingly, in what looks like a mirroring of President Barack Obama’s 2015 executive order on sanctioning hackers, the law threatens punitive actions, including the freezing of assets, of “foreign individuals or organizations engaged in attacks, intrusions, interference, destruction and other such acts harming the critical information infrastructure.”
The law sits at the convergence of two trends. First, the revelations of NSA contractor Edward Snowden and the overall growth of cybercrime and cyber attacks have both energized new concerns about the reliability and security of Chinese systems. Second, Chinese President Xi Jinping is clearly worried about threats to domestic stability. Over the last two years, China has tightened censorship of the Internet and media, passed a new law regulating foreign non-governmental organizations, and arrested rights lawyers, feminists, foreign NGO workers, bloggers, and environmental activists.
Many of the provisions in the law previously existed elsewhere. The law brings them together in one place, creates clearer lines of authority and responsibility, and represents a continuation of effort to streamline cyber policy making and implementation—a process that dates back to the creation in 2014 of the Central Leading Group for Cybersecurity and Informatization, which is chaired by President Xi Jinping, and the Cyberspace Administration of China.
TCB: How could this new law further facilitate the state’s control over information and stifle dissent?
AS: The law consolidates the trend of greater control over the Internet begun by President Xi Jinping. The new law requires companies to censor “prohibited” information; criminalizes the use of the web for inciting subversion, endangering national unity, propagating terrorism and extremism, and fabricating and disseminating false information; and limits online anonymity. Users must provide their real name and personal information for social media accounts, and the law adds instant messaging services to the list of services that users must register with their real names. The law also requires critical information infrastructure operators to store users’ “personal information and other important business data” in China, but leaves “important business data” undefined. In addition, the law provides the legal basis for large-scale network shutdowns to respond to “major [public] security incidents,” as has happened previously in Xinjiang after riots in July 2009.
TCB: What does this law mean for foreign technology companies operating in China? Is this a protectionist policy seeking to boost China’s domestic technology industry?
AS: It will make operations in China more difficult, raising questions about how willing companies are to cooperate with the government in return for access to the market. Foreign technology companies are worried about the provisions requiring data localization, security reviews for equipment used in key information infrastructure, and requirements to allow the inspection of source code. In August 2016, while the law was still in draft form, 46 global business groups wrote a letter to Premier Li Keqiang arguing that the law “would impede economic growth and create barriers to entry for both foreign and Chinese companies.”
The law is also likely to have a detrimental effect on Chinese startups. The requirement to monitor and log operational data of networks for six months, for example, will place a large burden on livestream services and other companies.
While China has legitimate security concerns, there is a long history of using cybersecurity policy as industrial policy. Xi Jinping has consistently stressed that independent innovation and the control of core technologies is essential to China becoming a cyber power. As Xi put it in a speech in April 2016, “Internet core technology is the greatest ‘vital gate,’ and the fact that core technology is controlled by others is our greatest hidden danger.” An engineer from the Ministry of Public Security was uncharacteristically frank about boosting Chinese tech firms over multinational corporations in one document: “The big trend is called shifting to domestic production. But it can’t be written that way, so one calls it independent and controllable.”
TCB: Have policies by the U.S. or other liberal democracies contributed to, or tacitly justified China implementing this new cybersecurity law?
AS: In response to foreign criticism, Chinese Foreign Ministry spokesman Lu Kang argued “that specific articles in this law are nothing significantly different from similar laws adopted by other countries.” Chinese leaders were more explicit in using U.S. discussions about terrorism and encryption to justify provisions in the draft counter terrorism law that required the installation of backdoors and the reporting of encryption keys. Fu Ying, chairperson for the Foreign Affairs Committee of the National People's Congress, for example, argued that Western countries, such as the United States and the United Kingdom, often request that technology firms disclose encryption methods.
It is worth stressing, however, that independent of what happens in the U.S. or other liberal democracies, China has its own reasons to focus on cybersecurity. The cybersecurity law addresses and is shaped by long-standing concerns about domestic stability, national security, and technological dependence. Western companies can do little to moderate these forces and must prepare for a future shaped by them.
This article has been updated to reflect Fu Ying's current title.