China’s New Encryption Law Poses Threat to US Companies, Experts Warn

December 18, 2019 Updated: December 19, 2019

WASHINGTON—Beijing’s new cybersecurity law is expected to have significant repercussions for global companies operating in China, as companies won’t be able to keep their data secret from the Chinese communist regime, according to experts.

On Jan. 1, China’s cryptography law becomes effective. The legislation is part of the comprehensive cybersecurity system China has been rolling out under its Cybersecurity Law and it follows Multi-Level Protection Scheme 2.0, which came into effect on Dec. 1.

These measures show Beijing’s ambition to seize all communications, data, and other information stored in electronic form that belong to foreign companies, according to author and China expert Gordon Chang.

“There will be no secrets,” he said. “Because [firms] have to turn over encryption keys, they can’t use VPNs [virtual private networks] to get around the rules. Everything they have in China on their networks will become available to the Ministry of State Security and the Communist Party.”

Companies use encryption technology to protect the confidentiality of information transmitted and stored on networks. However, no foreign company may encrypt their data or communication if China enforces these new rules.

Chang said that foreign companies might be prohibited from employing VPNs to protect their data and may even be barred from using private servers.

In addition, Chinese officials may share seized information with China’s state-owned enterprises to give them a competitive advantage against their foreign competitors.

The new cybersecurity rules may also result in foreign companies losing trade-secret protection around the world.

“If China actually enforces these rules to the maximum extent, they’ll be able to take over the Fortune 500,” Chang said. “So, obviously, we’ve got to do something about it. And the sooner we do something about it, the better it will be.”

The United States and the Chinese regime announced on Dec. 13 that they had reached a deal in the “phase one” trade talks, which included the areas of intellectual property (IP) and forced technology transfer.

According to the fact sheet released by the Office of the U.S. Trade Representative, however, the initial trade deal has not really addressed the new cybersecurity laws. Chang called the deal “pointless.”

White House economic adviser Larry Kudlow told Fox News on Dec. 15, “There’s a large IP chapter in this deal, and there’s also a large forced technology transfer chapter in this deal.”

When asked about China’s new cybersecurity rules, Kudlow said: “I don’t think we know enough about these new Chinese rules, and we’ll have to look at that. By the way, if they do violate them, of course, we will take action. That’s part of the enforcement mechanism in the deal.”

US Firms ‘Should Be Very Concerned’

The new cybersecurity measures are “the latest in a series of policies that China has enacted in the last few years as it seeks to define its restrictive and onerous approach to data governance,” said Nigel Cory, an associate director at the Washington-based think tank Information Technology and Innovation Foundation.

China has been implementing policies to govern data, including data localization, which forces both foreign and Chinese companies to store their data locally. The measure has been coupled with the Great Firewall of China, which has blocked imports of data from a whole range of different websites and services, Cory said.

The latest encryption law would now govern how the data could be accessed by the Chinese regime, he said.

U.S. firms don’t know exactly how these laws will be implemented and enforced.

“What we know in terms of past experience with the Chinese government’s approach to forced technology transfers and the cyber theft of IP—there’s a track record that means that U.S. firms should be very concerned about how the Chinese government will actually enforce this law,” Cory said.

According to Chang, many American companies may suffer the same fate as Canada’s Nortel Networks, and hence the U.S. government should take action to protect American businesses in China.

Experts allege that Chinese hacking and IP theft played a part in the eventual demise of Nortel, the crown jewel of Canada’s high-tech industry for decades.

Nortel was a big technology success story in Canada. The firm, at its height, employed close to 100,000 people worldwide and reached a market valuation of $283 billion.

The failure of the firm 10 years ago was attributed to multiple factors, including IP theft by Chinese hackers that presumably aided Nortel’s competitors.

Follow Emel on Twitter: @mlakan