The issue of cyber security in China, particularly in relation to foreign businesses and governments, is highly politicised. In early 2015, it was reported that the Chinese government had introduced new rules requiring all computer equipment suppliers selling to Chinese banks to hand over their source codes for in-depth examination and to build an interface for invasive checking (a backdoor) into their systems when necessary. The details were vague as the related rules were not made publicly available but took the form of internal guidelines to banks in China, which were jointly issued by the China Banking Regulatory Committee (CBRC) and the Ministry of Industry and Information Technology (MIIT) on 26 December 2014, (the so-called Circular 317).
The guidelines are part of Beijing's efforts to strengthen cyber security in certain industries which are critical to China, including the banking sector. The approach taken has, however, caused considerable concern outside China and is questioned by the foreign companies which have an interest in this fast growing sector and fear (with some justification) that this is an attempt to force them to give away market share to their Chinese competitors. So is this really something new, and if yes, how has it come about and what are the implications?
The topic of cyber security has been high on the Chinese political agenda ever since the internet sector started to boom in the 1990s. The government's major concerns are not only the technical issues, but also those which are politically sensitive like censorship and defence. The very earlyRegulations for Safety Protection of Computer Information Systems issued by the State Council on 18 February 1994, generally prohibit activities which involve misusing computer information systems to endanger the interest of the State and civil society. This prohibition was further expanded by the Administrative Measures for Protection of the Security of International Internetworking of Computer Information Networks issued by the Ministry of Public Security (MPS) on 16 December 1997, which further prohibits activities which endanger national security or reveal State secrets. In particular, these measures stress content control and prohibit dissemination of information which violates or incites the violation of laws, incites the subversion of the State's political power and the overthrow of the socialist system, incites splitting up of the country and the sabotage of national unity, fabricates or distorts facts, spreads rumours and disrupts the social order. On 28 December 2000, the Standing Committee of the National People's Congress (NPC) further endorsed this position by underlining the criminal liabilities associated with activities breaching cyber securities.
China became all the more publicly conscious of cyber security issues following the Snowden revelations and the disclosure of the US PRISM project. On 12 November 2013, the Chinese Communist Party rolled out its Decision on Some Major Issues Concerning Comprehensively Deepening the Reform. This document is the ruling party's policy framework on cyber security and, for the first time, it explicitly states that an internet administrative and guidance mechanism should be developed to ensure the State's network and information security, which includes the establishment of a State Security Commission to handle national security strategies. Shortly after this, the Cyberspace Administration of China (CAC) was established on 27 February 2014. This is led by another high-ranking working group composed of the Chinese President and Premier as group leaders. It is quite unprecedented that State leaders take part in a working level group of this type and it sends the rest of the world a very clear signal that information and cyber security take top priority.
Following this, the so-called De-IOE campaign was launched. This is explicitly aimed at getting rid of IT systems supplied by the three major US players IBM, Oracle and EMC, and replacing them with equipment and technology developed by Chinese companies, particularly in the banking sector. On 28 August 2014, MIIT - the Internet business watchdog - issued its Guiding Opinions on Strengthening Network Security in the Telecommunications and Internet Sectorswhich, among other things, promotes use of hardware and software whose security can be monitored and controlled, and tightens control over cyber security associated with new technologies and businesses like cloud computing and the Internet of Things.
Shortly after the Guiding Opinions of the MIIT were issued in September 2014, the CBRC issued some guidance (which has binding effect) to all banks under its supervision pushing for "secure and controllable information technology" (SCIT). The nature of the guidelines only became known after Circular 317 was plugged in. The detailed contents of Circular 317 were not disclosed to the public but obviously include very precise guidance on how banks should ensure SCIT, including:
- most source codes must be submitted to the CBRC for filing
- intellectual property rights in software and hardware used by banks must be owned by an entity in China; and
- suppliers of software and hardware to banks must establish local R&D facilities and customer service centres in China.
Deployment of SCIT is required to grow at a minimum of 15% on an annual basis and to reach 75% by 2019.
Circular 317 is by no means the last word on the issue of cyber security. On 3 November 2014, the NPC presented its second draft of the envisaged Counter-Terrorism Law for consultation. Under this draft law, all telecommunication operators and internet service providers must set up technical interfaces and submit encryption solutions to enable invasive audits by government agencies. In addition, their equipment and data concerning domestic users must be kept within China. What these requirements mean is not entirely clear. In theory, they suggest no Chinese personal data can flow out of China but this is, technically speaking, impossible. Wherever the Counter-Terrorism Law ends up, it is likely to become an additional concern for foreign entities which are currently heavily lobbying the Chinese government at all levels. Whatever the final version of the law states, it will almost certainly present another serious challenge for foreign companies operating in China. Whether they like it or not, there will be new regulatory requirements to be fulfilled in the foreseeable future in the area of data protection and cyber security in China. Foreign technology companies need to keep a close eye on developments and be prepared to tackle them if they want to continue supplying to and operating in China.