China’s cybersecurity law threatens business

China’s introduction of a new cybersecurity law threatens to stifle innovation and harm international business

  • By Professor Georges Haour | Tuesday, November 22nd, 2016

Lu Wei, the senior executive official in charge of cybersecurity, delivers a speech at the World Internet Conference

China has the world’s largest market for digital shopping, mobile payments, and internet-enabled financial services. Close to 400 million people in China conduct the majority of their payments using their smartphones. China’s overall information technology market is valued at well above $300bn, and it is estimated that more than 700 million Chinese have access to the internet. Therefore, any law impacting the online space – cybersecurity included – is sure to make ripples in the way China does business.

That’s why its new cybersecurity law – due to take effect in June of next year – is particularly alarming. It is part of an ongoing government programme to reinforce China’s cybersecurity, and, arguably, looks to target non-Chinese hackers. The introduction of the law comes during a period of continued tension between the US and China – with both accusing the other of hacking in recent years. This tension extends beyond just cybersecurity, however, spreading to trade, the economy, and, of course the US election – which inevitably had great implications on how business would be conducted between the two nations. The law appears to be counterproductive in several ways.

These pieces of information could easily be passed on to Chinese companies… providing them with a distinct competitive advantage

As the law sets forward, important network equipment and software will have to receive government certifications. This means that specific pieces of intellectual property or technical features will have to be divulged. These pieces of information could easily be passed on to Chinese companies by the regulators behind cybersecurity – providing them with a distinct competitive advantage over their foreign counterparts. It shouldn’t be forgotten that government interference in China is far more prevalent than in western nations. And the tremendous power held by the state allows it to play a more critical role in economic plans.

The businesses most at risk will be those with special hardware and systems for network management, but the programme could even include data from, and for, ATMs. New generation ATMs have a much higher level of connectivity, utilising mobile integration and face recognition. This makes them more vulnerable to hacking, and means confidential devices and information will have to be used for protection. Under this new law, ATMs could act as a new source of information for the government.

This law is also counterproductive because companies gathering data in so-called ‘critical areas’ will have to store that data inside China. At this stage, the definition of ‘critical’ is worryingly broad. Complying with this requirement will force international firms to make expensive investments in order to build duplicate facilities within China. This is in total contradiction to the free flow of data, which is expected to swell in 2020 after the introduction of 5G.

International companies will have to weigh this risk against the benefits of doing business in China. China has long had a reputation for ‘copying’ without getting insider access, and this law will only ease the process by which businesses review foreign competition. For international companies there is no easy way forward as the choice is black or white. Either foreign companies will comply – knowing that China has a way to peek into data that was previously private – or they will chose to stand by their principles of privacy and risk being excluded from the Chinese market. Despite the challenging dilemma, companies are likely to comply, giving in to China’s demands. The Chinese market is too large and too ripe for future growth, especially when compared to more stagnant outlooks in Europe and the US.

While cybersecurity is important, this law will ultimately restrict movement in a free market

In addition to creating barriers for international business in China, this kind of legislation stifles innovation. It could well be considered to be part of what has become known as ‘indigenous innovation’ in China. This process favours Chinese firms by establishing non-tariff barriers – such as specific standards or regulations on products – in order to limit non-Chinese firm’s access to China’s dynamic marketplace. The overall impact would be wide-ranging, extending from consumer electronics to products used to produce renewable energy – including windmills and solar panels.

Innovation is a complex process, and in order to flourish requires society to be as open as possible, allowing a vibrant exchange of ideas between various people. While cybersecurity is important, this law will ultimately restrict movement in a free market. Entrepreneurs in China aren’t often bothered by their government’s management of the internet – often referred to as the ‘great firewall’ – but this new law emphasises the nation’s tightening grip on its wider uses. Furthermore, far from favouring China’s champions in this industry – such as Huawei, Lenovo, or Tencent – this law will act to handicap them in the long-term. Maybe the hope is that these companies will fight to alter the law and mitigate the negative implications for China’s internet landscape.

US companies have already begun to lobby strongly against the law, as well as China’s management of the internet in general. But despite the efforts of any company – Chinese or otherwise – the cybersecurity law is just a piece in a larger, ongoing political puzzle that companies will have to deal with. Trump’s stance on trade is equally, if not more, alarming for business. In the end, agility will be key for companies to succeed in this tense political environment.

Professor Georges Haour is a Professor of Technology and Innovation Management at IMD Business School