Barely over a year ago the relationship between the United States and China over cybersecurity seemed poised for peace. That was on the heels of the September 2015 Nuclear Security Summit, in which Presidents Barack Obama and Xi Jinping met and agreed to important cybersecurity measures. Ah, how quickly times change.
One Foot on Both Sides
The cybersecurity agreements between the United States and China focused on stealing intellectual property or trade secrets. Both sides agreed to respect proprietorship, and also set up a crisis response hotline for cybersecurity issues.
The focus of the United States tends to be toward free flow of data across national borders and freedom of expression, which can appear like an affront to Chinese focus on security, domestic stability and development of the digital economy. Both sides have some shared interests: products sell in both countries, the global supply trade crosses the ocean, and cybercrime tends to cross national borders of all kinds, including these two super-sized-nations.
Then, in the spring of this past year, the FBI tried to force a major US tech company, Apple, to unlock an iPhone for an investigation. After Apple refused, the FBI succeeded anyway.
You’d think that the Chinese government, which regulates their own tech companies, would understand. However, since that time China has tightened regulation on Apple in their own country, leading experts to suggest that the Chinese government is concerned US-based companies would spy for the US government, intentionally or not, or destabilize the Chinese economy.
Then, on November 7th, 2016, the Chinese government passed cybersecurity measures that raise a number of concerns for foreign-operating tech companies, like Apple, Microsoft and others.
Chinese Cyber Policy
The new Chinese cybersecurity policy has already been translated into English, if you want to read it here. While the emphases on security and developing the internal digital economy are understandable, foreign tech companies are concerned about several key points:
• Security certifications—Companies will be required to be certified as secure by the Chinese government, but obtaining such certification may require broad access to corporate propriety data. Network equipment and software inspections, even if they do not also contain “spyware” or other ulterior motives, could result in access to corporate policy, trade secrets or technologies.
• Playing favorites—Companies that earn the title “secure and trusted” could favor Chinese companies, under the auspices of strengthening the Chinese market. China has already been accused of favoring domestic companies to the extent that it seems punitive to foreign tech companies.
• In-country data storage—Companies that are required to by the law, including such varied organizations as finance, energy, and tech, must store information in-country. Many companies traditionally store data in multiple secure locations; regulations of this kind could put corporate data in danger (think “all of your eggs in one basket,” and you get the idea). Without the ability to choose where and how data storage occurs, hackers may be more easily able to access secure corporate information.
Where to Go From Here
Cybersecurity issues are complicated, in some ways. They are both new concerns on the international agenda, and also cross the lines between private and public concerns—affecting everyone but not any single entity, making it potentially difficult to decide where responsibility lies.
In the case of the cyber stand-off with China, the federal government needs private tech participation and vice versa.
Coordination at the highest levels, such as specific exemptions to the new Chinese cybersecurity policy for outside corporations, will be required for mounting tensions to safely dissipate.
US-based tech companies stand to lose key Chinese markets if the two sides cannot come to acceptable terms. It will fall to the next administration in 2017 to see where we go from here.