Cybersecurity in China VS Free Data Flow
Cybersecurity in China is of the same importance as national security, as defined by Cybersecurity Law in 2016 (which became effective a year later). This was preceded by establishing a so-called ‘leading group for cybersecurity’ in 2014, with president Xi Jinping as the group leader. The aim of this group was broadly defined as ‘managing cybersecurity concerns and other internet-related issues’.
Here lies the core explanation of why China is so strict when it comes to operating with international tech giants. For example, Article 35 of the Security Law states that:
Individual information and essential business data collected by Internet service providers (ISPs) shall be stored within China. Suppose the data needs to be sent overseas. In that case, a security evaluation should be performed based on regulations established by the State Council and other departments.
Therefore, companies such as Google, that store all data collected through Google Analytics in the USA, are in direct conflict with the Chinese Cybersecurity Law.
Photo Illustration: Freepik
China has over 1 billion users with internet access in January 2022. Moreover, it’s the world’s largest e-commerce market. That said, it’s clear why cybersecurity should be one of the top national priorities. Now, in the wrong hands, this can also be means of manipulation. As scholars from the Chinese Academy of Social Sciences noted, China’s official cybersecurity discourse has evolved from focusing on ‘technological’, ‘sociopolitical’ issues to the current ‘military-diplomatic’ affairs focus.
Official responses to cybersecurity threats have changed from initially treating it as a mere technology crime to upgrading it to the current military and diplomatic issue (…) which is caused by the increasing Sino-American conflicts and disputes over cybersecurity and internet governance since 2010 as well as China's growing ambition to restructure global cyber power since 2014.
Weishan Miao, Jian XuJian Xu, Zhu Hongjun
What does it Mean for Foreign Companies?
Since the first draft of Cybersecurity Law was introduced, experts have warned that it can have a particularly alarming interpretation.
“It shouldn’t be forgotten that the state has tremendous power and plays a critical role in economic plans. Government interference is much more prevalent than in Western nations. And under the veil of cybersecurity, regulators will have access to proprietary information that could benefit Chinese firms at the expense of foreign business”, said professor Georges Haour from International Institute for Management Development.
He also added that this could mean additional costs for international companies that want to keep doing business in China. For them to comply with the law and store data inside of the country, they would need to build extra facilities. Even so, China would have access to business information that was private up until now.
So, there’s a black-and-white scenario for foreign companies. They will either comply with the law or be excluded from the extensive Chinese market.
Innovations in Cybersecurity in China
The expectations for cybersecurity are high. When we say high, we mean on revenue $40-billion-by-2023 high. But let’s not rush things.
There has been an annual World Internet Conference in Wuzhen since 2014, and the term ‘cyber sovereignty‘ was first introduced by President Xi Jinping in 2015. A wholesome definition of this term would be:
Respecting each country's right to choose its development path, internet management model, and public policies on the internet.
In other words, this approach gives more power to the state as a decision maker, wholly opposed to the western ‘multi-stakeholder’ philosophy, characterized by mutual policy-making of government, private sector, civil society, and international organizations.
So, how is China planning to grow in terms of cybersecurity revenue and ensure enhanced privacy for internet users?
First, official bodies with regulatory responsibilities, such as the Ministry of Industry and Information Technology (MIIT), have the power of mandatory demands. For example, one of the largest industries, IT, must allocate 10% of its budget to cybersecurity by 2023.
Photo Illustration: Freepik
On the other hand, a more theoretical one, China is encouraging demand for products, services, and technologies such as data security monitoring and artificial intelligence-powered (AI) threat detection.
These two highest tides should result in a 12.4% CAGR by 2027.
Alongside ambitious plans for the urban population, China’s State Council is reportedly investing $22 billion in expanding broadband network infrastructure in rural areas of the country. With that, China will meet all criteria for implementing a broader (or all-seeing, if you will) cybersecurity strategy.
This is another argument for why China is the global leader in internet power. Still, its reputation raises many concerns among experts.
“Many scholars have found that China’s leadership ultimately rests on its claim that it stands as a representative among developing countries in the global South. Many of these economies rely on internet access in their development agendas, ensuring that it becomes universal for most of the population. At the same time, China’s approach is attached to this cyber sovereignty. This brings us to a lot of human rights concerns since it gives the utmost responsibility over cyberspace to the state”, explained Mabda Haerunnisa Fajrilla Sidiq, a researcher from the London School of Economics and Political Science at this year’s Belgrade Security Conference.
Shortcomings of the ‘Cyber Sovereignty’
Now, to put it literally, no one outside the country will be able to collect users’ data without permission… But in-country companies will have all the permission in the world? That can’t be good.
China’s approach to internet governance is undoubtedly state-centric. It promotes a so-called ‘cyber sovereignty, with the ambition to establish a new global internet order. International research company KPMG published a report in 2016 about cybersecurity in China, and these were crucial findings:
- 91.5 billion RMB (~$12.54 billion) worth of damage caused by personal information leakage and fraud.
- 37% of users experienced security problems while making payments online.
- 51% of them reported financial loss.
- 37% were victims of online fraud and financial loss.
- 84% reported information leakage, followed by negative consequences.
Additionally, if you consult the official Annual Statistical Report on China’s Internet Development, you’ll find out these are the most common cybersecurity problems:
- 22.1% Personal Information Leakage
- 16.6% Internet Fraud
- 9.1% Virus Infected Devices
- 6.6% Stolen Passwords or Accounts
So, how do official bodies interpret this data?
Photo Illustration: Freepik
They blame it on external companies for cloud-based technologies.
Apparently, MIIT sees a huge threat in these platforms related to information sharing. That is why, for example, they disclosed a partnership with Singapore-based Alibaba. So, all the reported system vulnerabilities (143,319 in 2021, to be precise) and DDoS assaults (753,018 of them) were an alarm to tighten control over cyberinfrastructure in China. Moreover, even state-owned enterprises (SOEs) were required to transfer their data from private operators.
Not only that, but businesses with special hardware and systems for network management will be at the most risk – including ATMs. Since they are now sophisticated enough for face recognition and require mobile connectivity, under this law, confidential data from ATMs will also have to be highly secured, leaving that to the interpretation of governmental bodies with regulatory responsibilities.
As the researcher mentioned above, Mabda points out, China sees cybersecurity as essential for ensuring regime stability, alongside state actors as the leaders of cyber governance.
“The idea of cyber sovereignty underpins China’s advances in defining what’s normal in cybersecurity governance. It also minimizes discussions on human rights, claiming it’s not a priority when discussing cybersecurity. The use of technology is very much defined by the users, humans. The limits or constraints are also determined by humans, who have the ability to establish laws and regulations. Human rights should be at the back of everyone’s mind before designing certain technology or platforms. Before we can ensure that the majority of the global population has access to the internet, we should ensure that the internet itself would empower the user and not ultimately lead to potential human rights violations”, she concludes.