Monday, October 21, 2019

So You Want To Do Business In China Do You? "China’s New Cybersecurity Program: NO Place to Hide"

We mentioned the National Security Law (and the cybersecurity law and the NGO law) back in July,* anyone doing business in China WILL comply, here's a deeper dive.
From China Law Blog:
The Chinese government has been working for several years on a comprehensive Internet security/surveillance program.  This program is based on the Cybersecurity Law adopted on 2016. The plan is vast and includes a number of subsidiary laws and regulations. On December 1, 2018, the Chinese Ministry of Public Security announced it will finally roll-out the full plan.

The core of the plan is for China’s Ministry of Security to fully access the massive amounts of raw data transmitted across Chinese networks and housed on servers in China. Since raw data has little value, the key to the Ministry’s success will be in processing that data. Seeing that this is the key issue, the Ministry has appointed Wang Yingwei to be its new head of the Cybersecurity Bureau. Wang is a noted “big data” expert and he will be tasked with making sense of the raw data that will be gathered under the new system.

The plan for the new system is ambitious and comprehensive. As explained by Guo Qiquan, the chief cheerleader for the plan, the main goal of the new system is to provide “full coverage”.  As explained by Guo, “It will cover every district, every ministry, every business and other institution, basically covering the whole society. It will also cover all targets that need [cybersecurity] protection, including all networks, information systems, cloud platforms, the internet of things, control systems, big data and mobile internet.”

This system will apply to foreign owned companies in China on the same basis as to all Chinese persons, entities or individuals. No information contained on any server located within China will be exempted from this full coverage program. No communication from or to China will be exempted. There will be no secrets. No VPNs. No private or encrypted messages. No anonymous online accounts. No trade secrets. No confidential data. Any and all data will be available and open to the Chinese government. Since the Chinese government is the shareholder in all SOEs and is now exercising de facto control over China’s major private companies as well, all of this information will then be available to those SOEs and Chinese companies. See e.g. China to place government officials inside 100 private companies, including Alibaba. All this information will be available to the Chinese military and military research institutes. The Chinese are being very clear that this is their plan....
....MUCH MORE
HT: The Register 

*"How the state runs business in China"
.... The author rather blithely skips over the National Security Law.
Here via China Law Translate:

There is not a lot of wiggle room in Article 7

Article 7: All organizations and citizens shall support, assist, and cooperate with national intelligence efforts in accordance with law, and shall protect national intelligence work secrets they are aware of.
The State protects individuals and organizations that support, assist, and cooperate with national intelligence efforts.
All means all, including foreign companies operating in China.
Ditto articles 14:
Article 14: National intelligence work institutions lawfully carrying out intelligence efforts may request that relevant organs, organizations, and citizens provide necessary support, assistance, and cooperation.
And 16:
Article 16: When national intelligence work institutions staff lawfully perform their tasks in accordance with relevant national provisions, with approvals and upon the presentation of relevant identification, they may enter relevant restricted areas and venues; may learn from and question relevant institutions, organizations, and individuals; and may read or collect relevant files, materials or items.
And then there's The Cybersecurity Law and the Foreign NGO Law (2016) and the Counter-espionage Law (2014) and all worded vaguely enough that the laws can mean whatever the Party and the authorities want them to mean.

Making a bit of a straw man argumentum ad absurdum, the top Canadian spinmeister for one of the companies subject to the National Security Law said:

‘At Huawei, we’re not attaching laser beams to the heads of sharks’
—Alykhan Velshi, Vice President, Corporate Affairs, Huawei Technologies Canada, Markham, Ont.
Letter to the Editor, Maclean's Magazine, published July 23, 2019

Personally I think laser-enhanced sharks would be kind of cool, it's the required handing over of data should the Chinese government request it that gives one pause.

The quibble on the importance of the National Security Law aside, my Mandarin speaking friends say the Guardian article is a fair representation of Xi and how he is shaping China.