Oct 17, 2019

China's upgraded cybersecurity law could take a toll

Illustration: Aïda Amer/Axios

China is applying tougher cybersecurity standards more widely as of Dec. 1, requiring companies to open their networks and deploy government-approved equipment. The changes worry international organizations and underscore the difference between U.S. and Chinese approaches to cybersecurity.

The big picture: China already has a law, applying to the most secure networks, that allows the government to audit private business networks and mandates the use of government-approved security equipment. That law will now apply to all networks.

  • "It’s going to be incredibly invasive," said Adam Segal, director of the Digital and Cyberspace Policy Program at the Council on Foreign Relations.

Background: China's cybersecurity law has been on a slow rollout since 2017. Clarifications of standards serving as de facto regulations were introduced in May this year.

  • Those included the right for China to plug into networks and check for cybersecurity, as well as mandates about securing supply chains for network security.
  • Until December, those standards only technically apply to companies where breaches could cause national security problems, though Chinese officials often hold companies to regulations in advance of their formal launch dates.
  • "Now the standards will apply to any company with a network," Samm Sacks, a fellow at the New America think tank, told Axios.

This puts a burden on U.S. companies that American companies are not used to. "Chinese companies won't bat an eye at it," Sacks said.

  • Given China's record of using hackers to steal intellectual property from global competitors, some network owners worry — justifiably, according to experts — that allowing China access to their data puts corporate secrets at risk.
  • China has a history of using any means necessary to aid domestic businesses. That could now include ruling that a foreign company has failed to meet official security muster — boxing competitors out of China's market.

But, but, but: Those worst-case scenarios might not be the problem immediately at hand, said James Lewis, who currently heads cybersecurity at the Center for Strategic International Studies and formerly served in several federal positions evaluating and negotiating with China.

  • "The Cybersecurity Authority of China [CAC] insists it won't use the law to steal private information. And China has so many other ways to steal intellectual property that it probably doesn't need to," Lewis told Axios.
  • As with all things China, if the party tells the CAC to steal data in the future, it will do so, Lewis added.

The most immediate problem may be that the cost of compliance can become prohibitive for some firms to operate in the country. "If you are a smaller company, you may think twice about moving into China," said Segal.

  • The broader trade conflict between the U.S. and China makes it tougher for foreign firms to protest.

Chinese firms have a poor record on cybersecurity, said Lewis. The tougher law, at least ostensibly, addresses a very real issue.

The U.S. faces similar issues, but it addresses them differently. The U.S. operates using fewer top-down security requirements, choosing instead to emphasize trade groups setting industry standards.

  • The U.S. is far more permissive about lower-risk networks, offers more autonomy to network administrators, and generally uses a scalpel where China uses a chainsaw.

One thing the U.S. and China have in common: "In China, network operators have to submit to 'black box' security reviews. We have no idea what it takes to pass," said Sacks. "I'm beginning to see that from the Trump administration."

Go deeper

Coronavirus dashboard

Illustration: Aïda Amer/Axios

  1. Global: Total confirmed cases as of 3 a.m. ET: 5,410,228 — Total deaths: 345,105 — Total recoveries — 2,169,005Map.
  2. U.S.: Total confirmed cases as of 3 a.m. ET: 1,643,499 — Total deaths: 97,722 — Total recoveries: 366,736 — Total tested: 14,163,915Map.
  3. World: White House announces travel restrictions on Brazil, coronavirus hotspot in Southern Hemisphere Over 100 coronavirus cases in Germany tied to single day of church services — Boris Johnson backs top aide amid reports that he broke U.K. lockdown while exhibiting symptoms.
  4. Public health: Officials are urging Americans to wear masks headed into Memorial Day weekend Report finds "little evidence" coronavirus under control in most statesHurricanes, wildfires, the flu could strain COVID-19 response
  5. Economy: White House economic adviser Kevin Hassett says it's possible the unemployment rate could still be in double digits by November's election — Public employees brace for layoffs.
  6. Federal government: Trump attacks a Columbia University study that suggests earlier lockdown could have saved 36,000 American lives.
  7. What should I do? Hydroxychloroquine questions answeredTraveling, asthma, dishes, disinfectants and being contagiousMasks, lending books and self-isolatingExercise, laundry, what counts as soap — Pets, moving and personal healthAnswers about the virus from Axios expertsWhat to know about social distancingHow to minimize your risk.
  8. Other resources: CDC on how to avoid the virus, what to do if you get it, the right mask to wear.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.

Updated 51 mins ago - Politics & Policy

U.S. coronavirus updates

Data: The Center for Systems Science and Engineering at Johns Hopkins; Map: Andrew Witherspoon/Axios. This graphic includes "probable deaths" that New York City began reporting on April 14.

The CDC is warning of potentially "aggressive rodent behavior" amid a rise in reports of rat activity in several areas, as the animals search further for food while Americans stay home more during the coronavirus pandemic.

By the numbers: More than 97,700 people have died from COVID-19 and over 1.6 million have tested positive in the U.S. Over 366,700 Americans have recovered and more than 14.1 million tests have been conducted.

World coronavirus updates

Data: The Center for Systems Science and Engineering at Johns Hopkins; Map: Axios Visuals

Japan's economy minister outlined plans on Monday to end the nationwide state of emergency as the number of new novel coronavirus cases continues to decline to fewer than 50 a day, per Bloomberg. Japan has reported 16,550 cases and 820 deaths.

By the numbers: Over 5.4 million people have tested positive for the virus as of Monday, and more than 2.1 million have recovered. The U.S. has reported the most cases in the world (over 1.6 million from 13.7 million tests). The U.K. is reporting over 36,800 deaths from the coronavirus — the most fatalities outside the U.S.