US should focus on China’s cybersecurity law, not its tech programme, says group representing Apple, Google and more

Information Technology Industry Council presses Trump administration to seek changes in China’s tougher treatment of online activity and user content

PUBLISHED : Wednesday, 22 August, 2018, 4:49am
UPDATED : Thursday, 23 August, 2018, 2:53am

As more businesses weigh in on the accelerating US-China trade war, a group representing Apple, Google, Samsung and other global technology giants is telling the Trump administration that it has the wrong target in its sights.

The White House is pushing Beijing to abandon its “Made in China 2025” programme, which provides massive financial support for domestic innovation in technology.

But the Information Technology Industry Council (ITI) is telling as many US government officials as it can that there’s another, far more pressing issue to deal with: China’s new cybersecurity law.

ITI advocates on behalf of global tech giants on issues that affect them broadly, partly because its constituents – which also include Toyota, Nokia and even China’s Lenovo – are reluctant to be public about the differences with the governments that regulate them.

It's really not helpful to tell China, ‘You need to change or walk back Made in China 2025’
Naomi Wilson, director of the US Information Technology Industry Council

“It’s really not helpful to tell China, ‘You need to change or walk back Made in China 2025.’ Frankly, it’s not helpful to us,” Naomi Wilson, ITI’s director of global policy for China and Greater Asia, told the South China Morning Post. She said ITI supported the White House’s objectives, but its plans did not deal with the real problem.

“If China were to just sweep Made in China 2025 under the rug, all of these other regulations and laws still exist. China will proceed with implementation and enforcement of those laws.”

While China’s cybersecurity law was enacted in June 2017, associated regulations have been published by various governing bodies since then, setting punishments including fines for individuals of up to 100,000 yuan (US$14,600) for not properly censoring content, and the revocation of permits and business licences.

The programme is a set of guidelines and does not spell out punishments for companies or individuals.

Beijing changes guard at the gates of the Great Firewall

Wilson said the cybersecurity law created more risk than the merely “aspirational” Made in China programme for foreign companies operating in China, particularly as rules stipulating how companies must comply with the new law were still being rolled out.

Other experts agree.

China’s cybersecurity law “will present an unprecedented challenge for international businesses with operations in China”, according to a white paper published by the international law firm Reed Smith after it went into effect.

The Cyberspace Administration of China, the main authority charged with supervising and enforcing the cybersecurity law, “has been focusing its enforcement effort on user-content monitoring … as part of the effort to ‘clean up’ the internet”, Reed Smith said.

China pushes through cybersecurity law despite foreign business fears

“Already, the Chinese government has imposed maximum fines on technology giants operating in China for failing to adequately censor banned user content on their websites.”

Already, the Chinese government has imposed maximum fines on technology giants operating in China for failing to adequately censor banned user content on their websites
International law firm Reed Smith

Wilson said US President Donald Trump’s use of punitive tariffs on Chinese imports to end the Made in China programme and reverse the US trade deficit with China sidelined the government on global cybersecurity regulation, leaving out officials who better understood how to protect the interests of tech companies relying on global supply chains.

“There are absolutely experts within the US government, many of them civil servants, who have been working on these issues for years and understand the complexities of these policies and regulations very well,” Wilson said.

“I think the US government senior leadership would be well advised to listen to those who have been working on this for decades.

“It’s dangerous to assume that an outside perspective just shed new light on the US-China relationship and what the problems are and people who have not been working on these issues are going to come in and just fix it because they’re going to use a tactic that no one has used before.”

Some ITI member companies have already begun trying to accord with China’s cybersecurity law.

China’s tough cyber rules ‘raise risk of infiltration’

In February, Apple began storing the iCloud accounts of its Chinese users at a new data centre in southwestern Guizhou province to get ahead of the law’s data localisation provision, which takes effect on December 31 this year.

While the move does not provide China’s regulators with encryption keys of the iCloud accounts, authorities there will not need to go through US courts to access an account’s data, as was the case previously.

Wilson said ITI was trying to persuade regulators in China and elsewhere that data localisation requirements could create more vulnerabilities than cloud storage because they forced companies to keep their network’s data in one place. This gives hackers a single point of entry.

The new law requires all “network operators” and operators of “critical information infrastructure” – the latter including companies in the transport, energy and finance sectors – to undergo security reviews to ensure that their data systems are “secure and controllable”.

Lenovo warns it may raise prices if US-China trade war drags on

According to the Reed Smith document, the phrase “secure and controllable” “has not been formally defined, but appears to be understood by commentaries to mean preference of domestic products with back-door access to the government over foreign products and technologies”.

Last spring, testifying at a US Senate hearing reviewing China’s rules regarding information technology practices, ITI chief executive Dean Garfield said China was “doing things that are both legitimate and illegitimate to put its thumb on the scale in favour of its local champions so they can corner the market on the frontier innovations of the future”.

The organisation is delivering its message wherever it can. “We are regularly talking to lawmakers on the Hill and folks in the administration,” ITI communications manager Jose Castaneda said.

“In addition, Dean sits on the USTR Trade Advisory Committee, where we have raised our concerns as well,” he said, referring to the US Trade Representative.

On Tuesday, ITI’s Wilson testified at a public hearing before the inter-agency “301 committee” in Washington about the possible imposition of duties on an extra US$200 billion of Chinese goods. Tariffs on US$50 billion worth of goods are already in effect or about to be imposed.

Product categories under discussion for the next round include printed circuits – key components in the products many ITI member companies sell.

New tariffs on these components “would directly increase the cost and resources required to build data centres in the United States, yet the consequences extend well beyond increasing the cost of construction”, Wilson told the committee.

It would raise costs for both American small- and medium-sized businesses that relied on these data and cloud services to run their day-to-day systems.

“While the administration’s threat of tariffs has achieved the first step of getting China’s attention, we have yet to see a change in China’s behaviour or evidence of serious negotiations,” she said.