China’s Cybersecurity Laws: Bad for Internet Users, Worse for Businesses

Last week we explored the difference between authorized and unauthorized VPNs, and this week we’re digging deeper to look at the business implications of China’s strict cybersecurity laws. China imposes many guidelines and restrictions on businesses operating in the country, which apply to a variety of providers beyond VPNs.

As pointed out in a document from the US-China Business Council, China’s cybersecurity law has many negative implications for both foreign and domestic businesses relating to:

• Data Flows and Localization
• Market Access and Global Solutions
• Secure and Controllable Technology and Overly Broad Cybersecurity Review Regimes

Data Localization Requirements

China imparts strict data localization requirements, meaning companies operating in China or offering services to Chinese users are often required by law to store data for their Chinese customers on servers located within China. This is concerning for a variety of reasons and creates operational inefficiencies, excessive (and unnecessary) costs and major security risks.

• Stifles innovation across borders: China’s rigid requirements stymie innovation and the ability for companies operating in China to collaborate to iterate on existing solutions and form new, improved technological solutions as they relate to data storage.
• Increases costs: Companies must install duplicate and/or additional IT infrastructure and servers to store data in China. There are also costs associated with the burden of managing data stored in multiple global locations.
• Impedes global operations: Laws include impact on e-commerce transactions, research and development efforts based in China (think about what happens if sites and information are censored), the use of big data analytics and communications and across borders
• Creates security concerns: Mandated localization and requirements for data review in the name of “security” are actually negative, as they limit choice for companies and prohibit them from implementing the most secure/best options available (or consistently implementing a solution across global locations). Additionally, China’s requirements differ from international standards and best practices.
• Creates difficulty linking to China-based networks: Security risks are involved, and international vendors and service providers may be unable to troubleshoot issues or resolve in a timely fashion when data in China is separate from all other operational data.

Market Access + Global Solutions

The second segment of the report explores concerns associated with innovation (again), and the impacts to use of “global solutions” such as cloud computing that come as a result of China’s restrictive licensing requirements.

• Requires multiple certifications: Sometimes a provider is required to obtain multiple certifications to operate in China, which is not only inconvenient but also expensive.
• Requires partnership with local entities: In many cases, foreign providers must partner with local companies to obtain necessary licenses. This means they forfeit operational control (the China-based business has 50% of the control) and become dependent on another less-known company. It also creates a burden for the foreign business in procuring partners, which can be inefficient and expensive.
• Restricts access to services: Cloud services, inherently, are intended to be accessible from anywhere around the world and are often implemented to enable businesses and employees to operate globally. China’s requirements prohibit the use of many top cloud providers, however, placing barriers on the use of software, communication tools, document sharing (internally and with clients) and data/information hosting. While China does offer its own cloud solutions, these solutions do not have an international presence nor are they leading products.

Secure, Controllable Technology + Cybersecurity Review Regimes

Global technology systems are used by international companies to enable security and protect user information including personally identifiable information. China’s requirements, however, vary from standards and best practices, and as such can actually do damage.

• Implements weakened encryption: The use of local encryption algorithms in China is inconsistent with global best practices for encryption. Not using international standards created by experts creates security concerns, and the inconsistency and potential incompatibility of China’s encryption algorithms expose businesses to increased vulnerabilities.
• Prohibits compliance with best practices: Companies cannot implement global solutions or comply with best practices, as China’s requirements vary. Further, as noted in the report, China is not always forthcoming about practices so it’s unclear how their rules function and interact with other standards in place.

Conclusion

As you can see, China’s strict guidelines for cybersecurity, data storage and other related standards create myriad concerns for businesses operating within the country. These concerns impact business operations and end-user experience alike, and in many cases not only cause inefficiency and inconvenience but also come with great risks to security. Thus, China’s strict censorship and cybersecurity guidelines have far-reaching effects even beyond the country’s borders.

All information in this article comes from the USCBC Recommendation paper. You can view the full paper here.