Page 404 - 2019 White Paper on the Business Environment in China
P. 404
9 White Paper on the Business Environment in China
including communications, information services, energy, orders. Besides device updatability, there are many
transport, water, financial services, public services and other industry norms the two largest economies can
electronic government services. Any company that is a agree on. Failsafe measures, no hard-coded credentials,
supplier or partner with firms in these sectors may also transparency on software and hardware components –
be subject to the law. Foreign investors in China could be the list can go on. An increase in development costs could
asked to provide source code, encryption or other crucial make a worthwhile contribution to defending against
information for review by the government, increasing IoT-borne threats, sometimes at the scale of transnational
the risk of this information being lost, passed on to local botnets. It is no secret that both the US and China have
competitors or kept and used by the government itself. placed cybersecurity at a prominent level. Since states
Article 9 of the law states that “network operators must have already demonstrated their offensive capabilities
obey social norms and commercial ethics, be honest in more sophisticated scenarios, they would have little
and credible, perform obligations to protect network to gain from incurring collateral damage through poorly
security, accept supervision from the government and secured IoT networks (Chen).
public, and bear social responsibility”. The vagueness of
this provision, as well as undefined concepts of national
security and public interest contained within the law,
increases the government’s grounds to assert the need
for investigation, and reduces a foreign company’s ability
to contest a government demand for data access. Critics
worry that the law could be a Trojan horse designed to
boost China’s policy promoting indigenous innovation.
Other foreign technology firms worry they will eventually
be forced to divulge intellectual property to government
inspectors. While at first glance the law appears to give
the Chinese government and Chinese companies a built-
in advantage, China’s companies and its consumers
may lose out in the end. China’s cybersecurity law is
masquerading as an attempt to enhance cybersecurity,
but it is so much more. The danger is that other countries
may adopt a similar approach, in a brazen attempt to
gain commercial advantage for indigenous firms, while
clearly crossing a legal and regulatory boundary that far
surpasses what is required (Wagner).
The big elephant in the room is the “Made in China
2025” plan that promotes indigenous innovation in key
manufacturing sectors. Although the plan has clouded
US-China bilateral trade relations, IoT security presents
an opportunity to find common ground against common
threats. The interdependent IoT supply chain endowed
the two countries with tremendous norm-setting power
in promoting best security practices. Demand-side
pressure, such as procurement by governments and
upstream companies, will influence the security practices
of downstream suppliers that may be geographically
located on the other side of the Pacific. For example, an
IoT device updateability guideline by the US National
Telecommunications and Information Administration
could sway American companies to prefer updatable
devices.Thus, manufacturers in China would be compelled
to focus on device updatability in order to fulfill American
404
including communications, information services, energy, orders. Besides device updatability, there are many
transport, water, financial services, public services and other industry norms the two largest economies can
electronic government services. Any company that is a agree on. Failsafe measures, no hard-coded credentials,
supplier or partner with firms in these sectors may also transparency on software and hardware components –
be subject to the law. Foreign investors in China could be the list can go on. An increase in development costs could
asked to provide source code, encryption or other crucial make a worthwhile contribution to defending against
information for review by the government, increasing IoT-borne threats, sometimes at the scale of transnational
the risk of this information being lost, passed on to local botnets. It is no secret that both the US and China have
competitors or kept and used by the government itself. placed cybersecurity at a prominent level. Since states
Article 9 of the law states that “network operators must have already demonstrated their offensive capabilities
obey social norms and commercial ethics, be honest in more sophisticated scenarios, they would have little
and credible, perform obligations to protect network to gain from incurring collateral damage through poorly
security, accept supervision from the government and secured IoT networks (Chen).
public, and bear social responsibility”. The vagueness of
this provision, as well as undefined concepts of national
security and public interest contained within the law,
increases the government’s grounds to assert the need
for investigation, and reduces a foreign company’s ability
to contest a government demand for data access. Critics
worry that the law could be a Trojan horse designed to
boost China’s policy promoting indigenous innovation.
Other foreign technology firms worry they will eventually
be forced to divulge intellectual property to government
inspectors. While at first glance the law appears to give
the Chinese government and Chinese companies a built-
in advantage, China’s companies and its consumers
may lose out in the end. China’s cybersecurity law is
masquerading as an attempt to enhance cybersecurity,
but it is so much more. The danger is that other countries
may adopt a similar approach, in a brazen attempt to
gain commercial advantage for indigenous firms, while
clearly crossing a legal and regulatory boundary that far
surpasses what is required (Wagner).
The big elephant in the room is the “Made in China
2025” plan that promotes indigenous innovation in key
manufacturing sectors. Although the plan has clouded
US-China bilateral trade relations, IoT security presents
an opportunity to find common ground against common
threats. The interdependent IoT supply chain endowed
the two countries with tremendous norm-setting power
in promoting best security practices. Demand-side
pressure, such as procurement by governments and
upstream companies, will influence the security practices
of downstream suppliers that may be geographically
located on the other side of the Pacific. For example, an
IoT device updateability guideline by the US National
Telecommunications and Information Administration
could sway American companies to prefer updatable
devices.Thus, manufacturers in China would be compelled
to focus on device updatability in order to fulfill American
404
