China’s tough cyber rules raise risk of infiltration, US business group says
US-China Business Council says Beijing’s demands on localising data and revealing source codes raise the threat of security breaches
A leading US business group has urged Beijing to loosen limits on data flow and storage that raise the risk of security breaches for foreign companies.
The call from the US-China Business Council is part of a series of detailed recommendations to the Chinese government in response to its controversial cybersecurity law, which came into effect in June.
In a report released on Monday, the council said China should follow best international practice by opening access to cloud computing services, levelling the playing field in technology procurement and allowing foreign firms to send copies of data abroad for analysis and processing.
It suggested the government narrow the definition of national security and state secrets, and have a clear system for appeals against data export security reviews.
The call comes as Washington is mulling retaliation over what it says are Beijing’s discriminatory industrial practices and intellectual property theft.
US President Donald Trump has criticised China for “unfair” trade action such as forced technology transfers, and vowed a range of punitive responses, including tariffs, export quotas and investment restrictions on Chinese firms’ access to the US market.
The US Congress is also working on to strengthening the role of the Committee on Foreign Investment in the United States in screening foreign acquisitions, especially from China, on national security concerns.
The council’s report also recommended that foreign partners in joint ventures be allowed to own and control software and other technology licensed to the joint ventures.
The report was based on interviews with dozens of executives of the US technology firms operating in China and reflects concerns about Beijing’s insistence that foreign firms localise data, disclose source codes and buy technology from Chinese companies.
“Implementing unique technology for a single country in a global network will increase the risks that a company’s systems could be infiltrated or compromised,” council president John Frisbie said.
“To ensure strong data and IT systems security, China should look to the best practices and expertise offered by all companies and developed and tested through global experience.”
Foreign companies and China observers have warned that Beijing’s new cyber requirements and its broad definition of national security could affect the overseas operations of Chinese companies.
“Chinese policies concerning investment, data export, product security reviews and critical information infrastructure affect the operations of both foreign and domestic companies in ways unseen in other markets,” the report said.
The council also suggested the government invite foreign firms and industrial associations to help draft technology security standards that would not require disclosure of source codes and the use of local encryption standards.
Samm Sacks, a senior fellow in the technology policy programme at the Washington-based Centre for Strategic and International Studies, said “China’s emerging cybersecurity regime runs the risks of contributing to a trend that could lead to a semi-Balkanised internet”.
In a report last month, Sacks said China’s information technology sector was becoming more closed to foreign competition in network products and services, and warned that China’s internet firms could “face new restrictions in global markets as policymakers in the US and possibly Europe look to exert pressure on Beijing for reciprocity”.
To comply with China’s cybersecurity law, US online retailer Amazon sold part of its cloud business to its Chinese partner in November. And last month Apple announced it would set up a data centre in Guizhou province and migrate information for China-based accounts to the centre from the end of February. The centre will be overseen by provincial authorities.
