Cloud Hosting

Just days before Chinas new cybersecurity law goes into force, foreign companies are grappling with rules that could tighten what is already one of the worlds most restricted technology regimes.

Recent changes to the language of the law ahead of its June 1 implementation, such as a broader definition of those affected, could drag in a wider array of services and products. While industry groups are lobbying for a delay, the government is moving ahead.

China is bringing in a raft of new measures, giving the government unprecedented access to foreign companies technology, as it bolsters control of the collection and movement of data. Forcing companies to store information within the mainland has already led some to tap cloud computing providers with more local server capacity, a potential boon to homegrown Alibaba Group Holding and Tencent Holdings Ltd. at the expense of Amazon.com and Microsoft. Alibaba Group is the owner of the South China Morning Post.

Almost all our companies are making moves to ensure that the majority of the data they collect in China is stored on servers located within China, said Jake Parker, vice-president of the US-China Business Council in Beijing. Its not just the technology companies its financial services, semiconductor manufacturers, every sector of business in China, thats impacted.

China pushes through cybersecurity law despite foreign business fears

One organisation that could feel the pinch of the regulations is GreatFire.org, which monitors blocked websites in China and helps users behind the nations controls. The non-profit group creates copies of banned sites hosted outside the mainland, putting them on Amazon Web Services cloud servers to circumvent government restrictions known as the Great Firewall.

Our strategy would collapse because if foreign businesses host all of their data in China, they would face minimal disruption if the authorities cut off access to the foreign internet, said GreatFire.org founder Charlie Smith.

Alibaba said in a statement it follows all local laws where we conduct our business. Microsoft declined to comment, Tencent could not immediately comment and Amazon did not immediately respond to a request for comment.

In addition to the restrictions on moving data beyond the mainland, provisions in the law include a more comprehensive security review process for key hardware and software deployed in China and a requirement to assist authorities conducting security investigations.

While individual firms in China rarely speak out publicly against government policy, more than 50 trade associations and chambers of commerce signed a letter in May to the government seeking a delay.

They argued that the law could affect billions of dollars of cross-border trade and lock out foreign cloud operators because of limits on how they operate in the country.

These measures will add costly burdens, restrict competition and may decrease the security of products and jeopardise the privacy of Chinese citizens, according to the letter from bodies representing businesses based in the US, Europe, Japan, Korea, Australia and elsewhere.

Foreign firms are pushing for change, but the law has support from some domestic experts, such as Li Yuxiao, a professor who studies internet regulation at Beijing University of Posts and Telecommunications. He sees secure information systems as integral to protecting the economy while also placing value on domestic operating systems over foreign products.

Cybersecurity is crucial to national security, he said.

Is China making life difficult for foreign companies?

Gabriela Kennedy, a Hong Kong-based partner at the law firm Mayer Brown JSM, said the National Peoples Congresss Standing Committee passed the law in 2016 ahead of its implementation, giving companies and others time to adjust. Subsequent language published by the government expanded the scope of a law that was considered quite onerous to begin with, she added.

For example, rules limiting the transfer of data outside Chinas borders originally applied only to critical information infrastructure operators. But that was changed mid-April to network operators, which could mean just about any business.

Even a small e-business or email system could be considered a network, said Richard Zhang, director of KPMG Advisory in Shanghai.

Another provision requires IThardware and services to undergo inspection and verification as secure and controllable before companies can deploy them in China. That appears to be already tilting purchasing decisions at state-owned enterprises.

Weve heard from our members that domestic banks and SOEs are being much more thoughtful about purchasing domestic technology and shifting away from foreign products, despite the fact that theres no specific requirement for them to do so, said Parker.

While the laws affect all companies in China, its expected to hit the foreign firms the hardest. That is because they typically have more businesses, headquarters and data processing centres overseas with a greater need to move information outside the mainland, according to Scott Thiel, a Hong Kong-based partner at the law firm DLA Piper.

Why foreign companies are shutting shop in China

Sophisticated or widespread cyberattacks, such as the recent WannaCry ransomware attack that exploited versions of Microsoft Windows, may bolster the governments resolve.

Adam Segal, director of the Digital and Cyberspace Policy Programme at the Council on Foreign Relations in New York, said: We can assume that Chinese leadership will use it as an example of why China needs its own technology and cannot continue to rely on foreign suppliers.

See the original post here:
Foreign firms grapple with China's 'punitive' cybersecurity laws - South China Morning Post