Authored by Gordon Chang via The Gatestone Institute,
On January 1, China’s Cryptography Law becomes effective. The legislation follows the December 1 implementation of the Multi-Level Protection Scheme 2.0, issued under the authority of the 2016 Cybersecurity Law.
Together, these measures show Beijing’s absolute determination to seize from foreign companies all their communications, data, and other information stored in electronic form in China.
President Trump should use his emergency powers to prohibit American companies from complying with the new rules or from storing data in China.
After all these “cybersecurity” rules are in place, no foreign company may encrypt data so that it cannot be read by the Chinese central government and the Communist Party of China. In other words, businesses will be required to turn over encryption keys.
Companies will also be prohibited from employing virtual private networks to keep data secret, and some believe they will no longer be allowed to use private servers.
Beijing’s system, once implemented, will be so invasive that Chinese authorities will no longer need to ask foreign businesses to turn over data. Chinese officials will simply be able to take that data on their own.
“Once data crosses the Chinese border on a network,” writes Steve Dickinson in the China Law Blog,
“100 percent of that data will be 100 percent available to the Chinese government and the CCP.”
Beijing’s complete visibility into the networks of foreign companies will have extremely disadvantageous consequences, Dickinson notes.
First, Chinese officials will be permitted, under Chinese law, to share seized information with state enterprises. This means the enterprises will be able to use that information against their foreign competitors.
Second, China’s new rules will almost certainly result in foreign companies losing trade secret protection around the world. A trade secret loses its status as such when it is widely disclosed. Once a company allows such a secret to be carried on its Chinese network, the company has to assume Beijing will know it. “Since no company can reasonably assume its trade secrets will remain secret once transmitted into China over a Chinese controlled network, they are at great risk of having their trade secret protections outside China evaporating as well,” writes Dickinson.
Third, China’s cybersecurity program exposes companies to penalties for violating U.S. tech-export legislation. Businesses have assumed that technology covered by U.S. export prohibitions is not “exported” if it is kept on a Chinese network protected by end-to-end encryption, in other words, not available to Chinese authorities. Because companies will no longer be permitted to encrypt data end-to-end, they will almost certainly be considered as violating U.S. rules for tech stored on a network in China.
Not every analyst is alarmed by China’s December 1 measures. James Andrew Lewis, for instance, maintains that Beijing’s new rules are a “legitimate effort” to secure networks in China. Moreover, he argues the Chinese do not need the new MLPS 2.0 rules to grab information because they can just steal all they want with their advanced “APT” hacker groups. “Their intent is not to use it for malicious purposes,” Lewis argues, referring to Chinese officials.
It is not clear how Lewis, a tech expert at the Washington, D.C.-based Center for Strategic and International Studies, can know the intent of China’s officials. Furthermore, portraying that intent as benign seems naive—laughable even—while their country is stealing hundreds of billions of dollars of American intellectual property each year and while Chinese ruler Xi Jinping continues his determined attacks on foreign business. In these circumstances, we have to assume Chinese officials are acting with malign intent.
Lewis also downplays the basic point that China’s cyber spies, once they have the encryption keys and access to the China network of a foreign firm, will be in a better position to penetrate the networks of that firm outside China. Therefore, it will only be a matter of time before Beijing steals data and puts companies out of business or ruins them to the point where Chinese entities can swoop in and buy them up cheap. Many allege that China stole data from Canada’s Nortel Networks and thereby bankrupted it almost a decade ago. The company was, according to the Financial Post, “hacked to pieces.”
Finally, CSIS’s Lewis fails to recognize that Beijing’s December 1 rules generally legitimize China’s regulation and information-custody role–in other words, China’s theft.
Senator Josh Hawley is rightly more suspicious of Beijing’s intentions. In November, the Missouri Republican introduced a bill, the National Security and Data Protection Act of 2019, prohibiting American companies from storing user data or encryption keys in China. Of course, this bill faces opposition from tech companies doing business in that country.
Yet, there is someone who can, with the stroke of a pen, effectively implement Hawley’s bill. President Donald John Trump can use his broad powers under the International Emergency Economic Powers Act of 1977 to prohibit companies from complying with the pernicious new rules or from storing data in China.
The rationale for such a sweeping presidential order is that the American people have an interest in China not taking control of American companies with operations in China–a probable consequence of the application of the December 1 and January 1 measures.
Such an emergency order would effectively force American companies out of China, so this step would be drastic. Yet it is China, with its incredibly ambitious grab of data, that is forcing the issue.
The American people have a vital interest in the protection of American data. Trump should issue such an order immediately.