Cyber security Law targeted at China

By Yu Xinran

Background:

On April 4th, a letter signed by the U.S. IT industry groups raised alarms about a provision in the U.S. 2013 spending bill enacted last month. The provision, aiming at thwarting the cyber attacks, restricts government purchase of Chinese information technology systems due to possible “cyber-espionage or sabotage” risks.

As required in Section 516 of the Act, FBI risk assessments should be conducted if the purchased IT systems are “produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China”.

Analysis:

Effects on the U.S. side

The cyber security law may be sufficient to ensure a critical level of protection and help relieve some of the cyber attacks emanating from China.

On the other side of picture, though the new provision only affects four government entities, namely NASA, Departments of Commerce and Justice, and the National Science Foundation, the primary fear of the technology groups is that such language may be included in the future spending bill or expand to other agencies. Such provision may threaten their subcontractors in China and bars their routine purchases of technologies.

Additionally, the measure could initiate an unfavorable precedent for other governments to approve anti-U.S. technology policies, which will also impair the interests of the tech groups.

One thing worth noticing is that the provision is pale in the real practice, because it is difficult to detect the “Chinese ownership” through the complex and diversified components of technology products.

Impacts on Chinese companies

Companies with large portion of exports towards the U.S. market, for example, Lenovo and Haier, could be adversely affected. And losses may go wild if such provision is widely applied to IT industry.

Chinese officials also claimed that the Congress should review and repeal the law. As Huawei and ZTE has garnered disapproval of the House of Representatives since October 2012, the new provision takes further discriminatory steps against Chinese companies. And China could always choose to retaliate against U.S. IT companies just like the recent Apple and Microsoft’s warranty issues.

Conclusion:

To sum up, the U.S. IT industry groups are more concerned with their own business—access to IT products, policy risks, and contractor relationships, while Chinese IT companies may sweat more to bear the barriers generated from the U.S. government’s haunted sense of cyber insecurity.

References:

1. Consolidated and Further Continuing Appropriations Act, 2013

http://www.gpo.gov/fdsys/pkg/BILLS-113hr933enr/pdf/BILLS-113hr933enr.pdf

2. April 4th letter regarding the language in section 516

http://www.techamerica.org/Docs/Multi-assn_letter_CR_language_section_516_%28FINAL_April_4_2013%29.pdf

3. U.S. business groups worried by cybersecurity law aimed at China

http://www.reuters.com/article/2013/04/08/us-usa-china-cybersecurity-idUSBRE9370RI20130408

4. IT Industry Groups Protest Restrictions On Chinese IT Systems Due to Cyber-Risks

http://www.bna.com/industry-groups-protest-n17179873216/

5. U.S. law to restrict government purchases of Chinese IT equipment

http://www.reuters.com/article/2013/03/27/us-usa-cybersecurity-espionage-idUSBRE92Q18O20130327

6. Silicon Valley Fights Restrictions on Chinese Tech

http://cn.wsj.com/gb/20130408/bog144050_ENversion.shtml

About these ads

10 Responses to Cyber security Law targeted at China

  1. WANG Wanxin No. 2010801476 says:

    Thank you for a informative and interesting blog post about the US cyber-security law news. Regarding to this news, I would like to first add some background information on US cyber security law.
    According to Wikipedia, cyber-security regulation in the United States comprises directives from the Executive Branch and legislation from Congress that safeguards information technology and computer systems. The purpose of cyber-security regulation is to force companies and organizations to protect their systems and information from cyber-attacks.
    Chinese IT equipment industry, as is known widely, rely much on the exports of products to countries like the USA. The carrying out of this new legislation would certainly seriously hit the Chinese related industry.
    This problem led by the US law change reflects a problem worth thinking that China needs to reform its economy structure very much. The overwhelming dependence of manufacturing industry, especially IT equipment industry, towards overseas market, should be controlled by effective domestic improvements.
    Chinese officials, as is reported, have urged the United States to repeal the law, which they said uses Internet security as an excuse to take discriminatory steps against Chinese firms.However, such movement has been proved seldom effective. Instead of urging and urging, the Chinese government should find its ways to help the country get out of the situation.Otherwise the burden and pressure on Chinese domestic various industries would be heavier and heavier.

    Reference
    http://www.businessspectator.com.au/news/2013/4/9/technology/us-cyber-security-laws-targeting-china-require-reconsideration-business

    http://en.wikipedia.org/wiki/Cyber-security_regulation

    http://security.cbronline.com/news/us-business-groups-criticise-cybersecurity-law-targeted-at-china-090413

  2. Henry Sun (2010801880) says:

    Thank you Shin for posting such an interesting topic, which is repeatedly reported in the large news media these days.

    From my understanding of the issue, the act proposed by the act is a bias towards Chinese firms. According to the act, as mentioned in Shin’s post, the US government needs to seek approval when purchasing equipment from Chinese firms, in order to evaluate whether such purchase would make the US internet more vulnerable to cyber attacks. If the purpose stated by the letter is a true concern by the US government, the risk assessments should be addressed to all overseas companies, including those seemingly more offensive countries, rather than China alone. From this perspective, if China is the only target, it is more likely a protective measure by the US legislative officials, which misused the country’s concern over the safety of the internet.

    It is obviously correct that a country should do whatever necessary to maintain the security in the cyber world. However, targeting a country alone would never to help truly address problem, or it would create an illusion that the country’s cyber safety is already ensured. And if such over-reaction is widely accepted in the US as a regular measure for domestic protection of local firms, it will be regarded as a step backward, getting away from the essence of free trade of WTO and free economy, which the western countries are always proud of, which lowers the overall utility and efficiency considering two countries together.

    Therefore, such provision still needs careful evaluation and consideration.

    References:
    http://news.xinhuanet.com/cankao/2013-04/10/c_132297710.htm
    http://language.chinadaily.com.cn/portal.php?mod=view&aid=44562

  3. Zheng Yuchuan (Heath) 2010800666 says:

    Thank you Shin for sharing this interesting piece of news.

    I agree with Shin in that this cyber-security law clearly targets at China and is a sign of protectionism. It aims at curbing the export of information technology systems from China, thus protecting the IT industry in the U.S. In fact, voices from the U.S have proposed adverse opinions on this law.

    The US-China Business Council president John Frisbie urged the leadership of both parties to ensure that similar provisions are not included in subsequent appropriate measure. He said that the national security of the US is critical, but it must not be used as a means of protectionism.

    In my opinion, product security is a function of how a product is made, used, and maintained, rather than by whom or where it is made. Imposing a country-specific risk assessment creates a false sense of security if the goal is to improve our nation’s cyber security.

    In conclusion, this law harms free economy and shall be abandoned.

    References:
    http://security.cbronline.com/news/us-business-groups-criticise-cybersecurity-law-targeted-at-china-090413

  4. Raveena Mital 2010530144 says:

    Thanks for your informative post!

    I agree that although this law has been designed to protect US’s cyber world, it overlooks several points.

    Retaliation and difficulty in determining product orientation are two such major components. Moreover, upon research I also found a study by The Heritage Foundation that explains how stringent regulations also hurt the efficiency of research institutions, which slows down innovation and growth (Bucci, 2013). Such is understandable because the loss of contractual agreements can hinder NASA’s and NSF’s research.

    This strict law also violates the most-favored-nation principle, which will only increase tension in the global political sphere.

    Hence, I propose that the US government should forgo this regulation and instead have IT companies do the following:

    (a) Obtain proper guarantees

    (b) Conduct independent risk assessments on all IT equipment that is purchased by government entities (regardless of where it comes from). Costs for this shall be borne by the buying parties. However, if any fraud or misrepresentation is detected, then the selling party shall bear all costs, expenses and compensation.

    Although difficult to implement, the aforementioned provisions will be fairer and more efficient.

    Reference(s)

    Bucci, S.P. (2013). Cybersecurity. Retrieved April 12, 2013, from http://www.heritage.org/research/reports/2013/04/a-congressional-guide-seven-steps-to-us-security-prosperity-and-freedom-in-cyberspace

  5. Cory (30350758580 says:

    Not only have chinese companies been sourced as attacking businesses (such as the new york times (1))in north america, but government funded cyber espionage groups have been directly linked to attacks on U.S. agencies (2). In fact, China holds no bars or limitations against whom it attacks, including helping North Korea attack South Korea (3). Though U.S. IT industry groups might be more concerned with their own buisines, I think that’s a seperate issue from the U.S. Governments very real need for cyber security. I do however agree with you in that it is quite difficult to detect “chinese ownership” – though not impossible.
    The new regulations will certainly add weight to any chinese company trying to do technological business in the U.S. But it might be worth it. A new study from the ponemon institute that did research on 56 large U.S. Companies put the damages at about 1.4 million USD (10,866,240 HKD) per company per year (4) and increasing at about 6% a year. I think it’s sufficient to say that although battling cyber security at a hardware level might not be the most efficient way, it at least puts political pressure on China, land of the the great chinese firewall, to at least put reigns on it’s cyber espionage programs. Ultimately however, investments will need to be made on the software level.

    1.http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?pagewanted=all
    2.http://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=all&_r=0
    3.http://www.guardian.co.uk/world/2013/mar/21/south-korea-cyber-attack-chinese
    4.http://www.ponemon.org/local/upload/file/2012_US_Cost_of_Cyber_Crime_Study_FINAL6%20.pdf

  6. Ni Hong (Neo) 2010802327 says:

    Thank you Shin for your interesting post.

    I quietly agree with you that it is not appropriate for the US government to set restrictions on government purchase of Chinese information technology system. China could challenge the provision as a violation of World Trade Organization rules. Under WTO rules, a national security exemption could be applied to impose restrictions on some specific companies if due to possible “cyber-espionage or sabotage” risks. However, in this case, the provision is applied to all Chinese IT companies and US government cannot prove the security risk. It hence is trade discrimination in the cover of protectionism.

    On the other hand, China may have a tough time making that case because it is not a member of the WTO agreement setting international rules for government procurement. Despite this, China should find another way to enhance its compatibility in the international market except cost leadership since other developing countries such as Thailand, Philippine now have much cheaper labors. In addition, China is a big market that has very good future perspective. As IT companies based in China, they have an advantage to take over the market and should focus on it.

    Reference:
    http://www.cdnews.com.tw/cdnews_site/docDetail.jsp?coluid=110&docid=102273518

    http://www.reuters.com/article/2013/03/28/us-usa-cybersecurity-espionage-idUSBRE92Q18O20130328

  7. Huang Yihan 2010802561 says:

    Thanks a lot Xinran for your interesting case and detailed analysis. I agree on most points you’ve mentioned but has some different views in some small points you’ve raised.

    First, I quite agree with you that the difficulties to “detect Chinese ownership”. I think one another factor that makes the Chinese ownership even harder to detect is the existence of offshoring incorporation and nominal shareholders/directors. Second, I don’t feel that this provision would be extended to the whole IT industry. It would be causing not only a huge loss for Chinese companies but also extensive impacts on American consumers and IT companies.

    Regarding the provision itself, I would question its justice under the fair-trade principles and also concerned about its long-term effect on U.S. national security policy. Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit, also admitted that “the new restrictions do not represent a viable long term policy” and “over the long term, it is very important to have China as a collaborative partner in research and manufacturing”. When comes to the reason of why such act is necessary at present, Borg emphasized on “the Chinese thefts of technology and competitively important business information”, which makes a lot of sense as well.

    References:
    Messmer, E. (April 4, 2013). Should US limit China-government influenced IT systems? Retrieved on April 14, 2013 from: http://computerworld.co.nz/news.nsf/security/should-us-limit-china-government-influenced-it-systems
    Yang, M. (March, 2013). The Ownership of Software Copyright in Offshore Outsourcing: A Comparative Study of China and U.S. Retrieved on April 14, 2013 from: http://www.ipo.org/wp-content/uploads/2013/03/MonicaYang.pdf

  8. Yue ZHAO (Nina) (2010801282) says:

    Thank you Shin for the informative post and the profound insights!

    This Act is actually a result from months of mutual accusations of hacking and Internet intrusions between Chinese and US governments. US government has accused China of stealing confidential commercial and government data from its database. Several newspapers also claim that the new cabinet of Chinese government has decided to take ‘bold actions’ by all means.

    According to Wang Yi, China’s Foreign Minister, US should try ‘make joint endeavors to safeguard cyberspace’ instead of considering its own interest only. Such myopic actions may lead to retaliation, cause unnecessary losses, and complicate international trade environment. This means that US should not have shown bias towards Chinese IT companies that will be massively affected by the coming Act negatively. For example, Lenovo is currently serving US government and military IT systems. It is targeting to enter US education sectors now while the Act restricts its access to further expansion. The company is expected to slow down its hyper growth in the US market in the coming few years.

    In response to this Act, Chinese government has communicated actively with the US government. Consequently, the US Secretary of State John Kerry has announced on April 13th that the two governments have decided to work together to enhance the overall cyber security and form working groups. However, the Act will be hard to implement since most of the IT products worldwide have a ‘Made-In-China’ stamp already and it’s unreasonable and impossible to replace each one of them or have them rechecked.

    References:
    http://www.reuters.com/article/2013/04/13/us-china-us-cyber-idUSBRE93C05T20130413

    http://techcrunch.com/2013/03/27/new-u-s-cyber-security-law-may-hinder-lenovos-sales-growth/

    http://www.bbc.co.uk/news/world-asia-china-22137950

  9. Zhu Guyi (2010802614) says:

    Thanks Shin for bringing this interesting topic.
    In recent years the security of global information systems has become a contentious issue in U.S.–China relations. U.S. government sources allege that Chinese intrusions targeting proprietary economic data and sensitive national security information are on the rise. At the same time, a large proportion of malicious activity globally originates from computer hosts located in the United States. Both the U.S. Department of Defense and the Chinese People’s Liberation Army view cyberspace as a new domain of conflict, and they eye each other warily. Nationalist“hacktivism,” in the form of website defacements, service denials, and network exploitation, flows both ways across the Pacific. This unfortunate situation exacerbates mistrust and raises suspicions in both countries regarding the others’ motives and activities.
    It is said this move has also created concern that Chinese officials might respond in kind and could harm U.S. interests.
    USCBC is working to ensure that government decisions are not politicized. Government reviews from both countries and subsequent decision making in areas such as investment security reviews, government procurement decisions, and trade remedies such as anti-dumping and countervailing duties cases must be fact-based and shielded from political pressures, and non-retaliatory.
    We have to be noted that failure to appreciate China’s domestic economy and politics can lead to a profound misunderstanding of its international activities. It is especially important to understand the domestic civilian context of cybersecurity given that the majority of day-to-day insecurity in cyberspace is economically motivated and risks of all types involve civilian information technologies.

    References:
    http://www.reuters.com/article/2013/04/08/us-usa-china-cybersecurity-idUSBRE9370RI20130408
    http://www.ecommercetimes.com/story/77749.html
    http://igcc.ucsd.edu/assets/001/503568.pdf

  10. Zhou Yiqiong (2010801921) says:

    Thanks, Shin, for bringing up this interesting topic.

    The issue of cyber security has caused widespread concern worldwide since the 21st century. In recent months, U.S. concern about Chinese cyber-attacks has mounted, and the President Barack Obama even vocally condemned the practice. Obama held the view that some cyber security threats were “absolutely” sponsored by governments while Chinese authorities replied that the U.S should avoid making “groundless accusations”.

    The new law is just the consequence of the growing U.S. concern over Chinese cyber attacks. It would prevent NASA, and the Justice and Commerce Departments from buying information technology systems unless federal law enforcement officials give their OK.

    According to a report by the Congressional Research Service issued in May, 2012, the U.S. imports a total of about $129 billion worth of “advanced technology products” from China. That’s apparently not a small amount. The measure could turn out to be a “harsh blow” for Chinese computer-makers, like Lenovo, but it may also bring adverse impacts for American companies in the IT industry.

    From my point of view, the U.S. and China should really work together on cyber security problem instead of putting on all sorts of sanctions against each other.

    References:
    http://www.reuters.com/article/2013/03/27/us-usa-cybersecurity-espionage-idUSBRE92Q18O20130327

Follow

Get every new post delivered to your Inbox.

Join 39 other followers

%d bloggers like this: