By Yoko Kubota
BEIJING -- A host of proposed cybersecurity regulations by China
are vexing U.S. businesses, who see the rules as new barriers to
the Chinese market, and loom as a potential sticking point in
coming U.S.-China trade talks.
The new draft rules and standards, released over the past two
months with little fanfare, flesh out an existing cybersecurity law
that the U.S. and many foreign businesses already consider
draconian. Some forbid certain data from leaving China or slow down
the process of sending data overseas, increasing uncertainties and
costs. Tough procurement rules could also place foreign products at
a disadvantage.
If enacted, the measures are likely to hit a swath of American
companies, including makers of tech products such as Cisco Systems
Inc., International Business Machines Corp., Juniper Networks Inc.
and Dell Technologies Inc., as well as those in financial services
or the automotive sector that handle data.
U.S. businesses and trade groups say some of the proposals are
too vague and give Chinese officials leeway on enforcement. The
Cybersecurity Administration of China and the Ministry of Public
Security, which are involved in the various drafts, didn't respond
to requests for comment.
The rules don't only target U.S. companies. They reflect
multiple factors shaping China's cybersecurity landscape, including
growing consumer awareness over data privacy and a recent global
trend of establishing new data privacy rules, experts say.
The timing suggests Beijing is using them to show Washington it
has options to punish U.S. businesses, experts said. "These are the
tools in the arsenal that can be ready to be fired," said Samm
Sacks, a cybersecurity expert at the Washington-based think tank
New America.
While the release of these proposals had been expected following
the introduction of a new cybersecurity law in 2017, Beijing had
seemingly held them in abeyance while talks with the U.S. on ending
the tariff fight progressed early this year. Greater access for
American tech companies is a priority for U.S. negotiators, and
Chinese officials showed a willingness to discuss issues related to
cybersecurity.
Then, after negotiations foundered in May, Beijing started
releasing the new draft rules. More followed after Washington
placed restrictions on Chinese telecommunications-gear maker Huawei
Technologies Co.
President Trump and his Chinese counterpart Xi Jinping last
month committed to restarting trade talks, with delegations set to
meet this week. The proposed cybersecurity regulations could be a
factor in future negotiations, as they would impose restrictions on
American business operations and market access.
"China's resumption of regulatory efforts signal less
willingness to bow to U.S. demands in hopes of [a trade]
agreement," said Paul Triolo, head of geo-technology at research
firm Eurasia Group.
The Office of the U.S. Trade Representative didn't immediately
respond to a request for comment.
While the cybersecurity law is already in effect, Beijing is
still in the process of setting implementation measures. The
recently released drafts cover at least eight categories and could
be changed.
Of particular concern are the rules requiring cybersecurity
reviews. They lay out the steps operators of "critical information
infrastructure" must go through to procure network equipment that
could influence national security, including a review by an
interagency organization.
The draft doesn't define exactly what a "critical information
infrastructure" operator is. China has broadly said they include
those with computer-network operations in telecommunications,
energy, transportation, information services and finance, but U.S.
trade negotiators are pressing for more details.
It also states that operators must assess risks including the
likelihood of supply chain disruption due to "politics, diplomacy
and trade" -- wording that policy experts say is likely in direct
response to U.S. actions against Huawei.
These rules could deter Chinese companies from procuring foreign
equipment if they fear these products would be subject to lengthy
reviews or even get blocked, said Yan Luo, a Beijing-based attorney
focused on cybersecurity policies at Covington & Burling
LLP.
Another batch of rules outline steps involving security tests on
"critical network equipment."
The Ministry of Industry and Information Technology, which
drafted this set of rules, said it had received feedback from
foreign companies -- including Cisco, IBM, Juniper, Dell, and
Germany's Siemens AG -- that make network equipment such as
routers, switches and servers. Any new measures would offer an open
and uniform standard and "foreign technologies and products will
not be discriminated against," the ministry said.
A Cisco spokesman said the company is committed to complying
with local law. Dell said it advocates for policies that enable an
open and secure digital economy. An IBM spokesman said the company
is "confident that we can comply with these standards." A Siemens
spokesman said the company advocates "for dialogue between all
parties including regulators to strengthen trust between all
stakeholders." Juniper didn't comment.
U.S. businesses are also concerned about proposed changes that
restrict information about individuals that could undermine
national security or damage public interest from leaving China and
require network operators to undergo a local security review over
other personal data.
The combined effect of these new rules would be to increase the
cost and risk of doing business in China, said Lester Ross, a
Beijing-based attorney and chair of the American Chamber of
Commerce in China policy committee.
--Kersten Zhang contributed to this article.
Write to Yoko Kubota at yoko.kubota@wsj.com
(END) Dow Jones Newswires
July 29, 2019 10:21 ET (14:21 GMT)
Copyright (c) 2019 Dow Jones & Company, Inc.
Cisco Systems (NASDAQ:CSCO)
Historical Stock Chart
From Jun 2024 to Jul 2024
Cisco Systems (NASDAQ:CSCO)
Historical Stock Chart
From Jul 2023 to Jul 2024