China: New Cybersecurity Law Threatens Foreign Companies’ Privacy
China’s implementation of a new cyber-security law will likely affect foreign businesses privacy of their own data. Known as the Multilevel Protection Scheme (MLPS 2.0), this law requires all companies to abide by certain requirements to secure their networks, which could leave foreign companies vulnerable to Chinese inspection.
MLPS 2.0’s objective is to create a system which would be closed against cyber threats while keeping the system open for China’s Ministry of Public Security, which will have complete access by installing backdoors into the system. Therefore, no companies are allowed to use technology that would hinder access such as VPN or private servers. [i]
Companies are not allowed to encrypt data so that it cannot be viewed by the Chinese government. Therefore, companies would be required to hand over encryption keys. [ii]
MLPS 2.0 forbids trade secrets, meaning any company operating in China whose trade secret is on a Chinese network will be able to be seen by the Chinese government. This includes emails, phone calls, and any other form of electronic communication. [iii]
China is likely to exploit the MLPS 2.0 for espionage and interference in American corporations. The MLPS 2.0 updates a call for Beijing’s Cybersecurity Bureau to have access to foreign companies’ and governments’ private business information for transparency and to prevent cyber attacks. The MLPS 2.0 allows for Beijing’s Cybersecurity Bureau to access foreign companies and governments private business information, under the guise of transparency and cyber-attack prevention. It is likely that Beijing will take business's information to advance Chinese economic and military interest without paying or directly confronting businesses.
One in five North American based corporations claimed to have intellectual property stolen by China in the past year according to the CNBC Global Chief Financial Officer Council. [iv]
White House officials believe Chinese originated cyber attacks cost the American economy up to $57 billion each year leading to distrust among American corporations doing business in China. [v]
The 2019 law requires security tests on critical network equipment and reviews over information data that would give Chinese officials greater access to American corporations’ business information and personal data. [vi]
The MLPS 2.0 is an additional barrier to the Chinese market for American investors as investors are likely to be more wary of data stored within the country due to concerns about Chinese cyber espionage. China will be able to circumvent the US government’s cyber-security legislation, leading many American businesses to be concerned about data privacy. It is likely that companies will be required to purchase new Chinese equipment or change storage centers to comply with security regulations which would allow Beijing’s Cybersecurity Bureau to have easier access to potentially sensitive information.
Apple opened a new iCloud center within China in 2018 granting the Chinese government with encryption keys for Chinese user data under the earlier cyber security laws, which allowed Beijing to circumvent the US legal system. [vii]
American companies conducting foreign business often have multiple hosting platforms across the globe, many of which could not follow Chinese security standards. This would require the company to switch to Chinese hosts instead. [viii]
The MLPS 2.0 regulates how data is stored by American companies in China, but also how that data is accessed and exported causing potential complications with data sharing among different branches of a company. [ix]
Sources
[i] Dickinson, Stephen. "China's New Cybersecurity System: There is No Place to Hide." China Log Blog.
https://www.chinalawblog.com/2019/10/chinas-new-cybersecurity-system-there-is-no-place-to-hide.html
[ii] Chang, Gordon. "China Adopt Malicious Cybersecurity Rules." Gatestone Institute.
https://www.gatestoneinstitute.org/15230/china-adopts-malicious-cybersecurity-rules
[iii] Ibid i
[iv] Eric Rosenbaum. “1 in 5 corporations say China has stolen their IP within the last year.” CNBC. 1 March 2019.
[v] Laura Sullivan. “As China Hacked, U.S. Businesses Turned A Blind Eye.” NPR. 12 April 2019.
[vi] Yoko Kubota. “American Tech Shudders as China Cyber Rules Are Expected to Get Tougher.” The Wall Street Journal. 29 July 2019.
https://www.wsj.com/articles/chinas-cybersecurity-regulations-rattle-u-s-businesses-11564409177
[vii] Nellis, Stephen and Cadel, Cate. “Apple moves to store iCloud keys in China, raising human rights fears.” Reuters. 23 February 2018.
[viii] McCarthy, Simone. “Will China’s revised cybersecurity rules put foreign firms at risk of losing their secrets?” South China Morning Post. 13 October 2019. https://www.scmp.com/news/china/diplomacy/article/3032649/will-chinas-revised-cybersecurity-law-put-foreign-firms-risk
[ix] Ibid vi
