A recently published U.S.-China Economic and Security Review Commission report notes China’s stricter new security requirements for information and communication technology due to purported cybersecurity concerns. The report comes on the heels of a hearing last month at the Office of the U.S Trade Representative, where U.S. telecommunications industry raised specific concerns about the new Chinese cybersecurity rules, which some fear may create market access barriers and discriminate against foreign information and communication technologies.
Several Chinese cybersecurity-related laws are the targets of this criticism, including the National Security Law. The Law requires the data and technology supporting crucial sectors to be “secure and controllable.” U.S. telecoms are concerned that such vague wording will grant authorities too much discretion to interpret the law in a way that favors domestic products.
China’s new Cybersecurity Law, which requires a security review for data and information technology equipment used in key information infrastructure, is also raising questions about what such a review might entail. The law also imposes localization requirement on all data related to China and Chinese consumers, which foreign companies worry will impede their business operations and give local business a competitive advantage.
In addition, China is considering three new security and information technology-related laws. The Guideline on Banks Using Secure and Controllable Information Technology is the most controversial. It requires companies who provide networking and storage equipment to the banks to turn over the source code to the government. Such a requirement would force foreign firms to either hand over their proprietary source code or withdraw from the Chinese market. In the view of some American companies, the law is pure protectionism. The implementation of the guideline has been suspended due to its controversial nature.
While China is facing criticism for possibly masking protectionism in cybersecurity concerns, the U.S. government may be exposed to similar claims.
In 2012, the U.S. House of Representatives Permanent Select Committee on Intelligence released a report suggesting that Chinese telecom companies Huawei and ZTE posed threats to U.S. cybersecurity and urging the federal government and U.S. businesses not to use their products or conduct business with them.
After publication of that report, Huawei dramatically reduced its footprint in the United States. Meanwhile, Huawei has expanded its business nearly everywhere else, achieving revenues of $60 billion in 170 countries last year. The United Kingdom, which incorporates Huawei products in its telecom networks, has worked with Huawei to establish a Cyber Security Evaluation Centre Oversight Board, consisting of representatives from the U.K. government, Huawei, and the British telecommunications sector. The Board oversees the operation of Huawei’s Cyber Security Evaluation Centre, which evaluates and mitigates potential security risks associated with Huawei products. To date, the Board has not found even a trace of any national security threats from Huawei products, which raises some questions about the U.S. House committee’s assessment.
Realistically, the Chinese telecommunication sector is fully integrated into the global supply chain. Among the multinational companies supplied by Chinese telecoms are Alcatel-Lucent and Ericsson, who both produce and sell in the U.S. market. As a result, it is practically impossible to turn away from “Made in China” products. Rather than officially boycott Chinese telecom products or engage in protectionism, the United States could mitigate security threats by adopting an inspection system similar to the United Kingdom’s.
Security arguments aside, restricting sales of Chinese technology products, which are typically much less expensive, presents unnecessary cost burdens for U.S. telecoms and the telecommunications infrastructure.
Moreover, imposing restrictions on Chinese products sets a bad example, which other governments might someday be inclined to follow. That is something that should concern U.S. telecoms. Currently, Cisco, Dell and Hewlett Packard account for a majority of big data equipment sold in China. Having continued access to China’s growing market is essential to their businesses.
It is worth noting that, after receiving criticism from some U.S. businesses, China invited foreign tech companies, including Microsoft, Intel, Cisco, and IBM, to join their Technical Committee 260, a governing committee inside China’s cyberspace administration. Although it is unclear how much influence these companies will have in shaping the final versions of China’s cybersecurity laws, it is a good start.
National security is a real concern, but it must be approached in an objective manner. When it is used as a disguised means of protectionism, it undermines economic welfare without actually helping promote security. Both the United States and China should take this into account when formulating national security rules for high tech industries and elsewhere.
Huan Zhu is a Research Analyst at a DC-based think tank and holds an S.J.D. from the University of Kansas.