December 28, 2016
The letter of internet by the Cyberspace Administration of China details some of the next steps in enhancing already strict controls on digital activity in the country.
Aly Song/Reuters
HONG KONG — At the end of what has been a tough year for foreign technology companies in China, a new statement of purpose from the country’s internet regulator suggests the next one may be even trickier.
In its first strategic report on cybersecurity, the regulator, the Cyberspace Administration of China, said on Tuesday that it would set up a cybersecurity review system on technology products in the country. It also outlined other details in its effort to enhance already unprecedented internet controls there.
For foreign companies, the report offered public confirmation of China’s intent to set up the security reviews, though it did not offer details about what the checks would look for, who would carry them out or when they would be formalized. The report’s language was similar to that described in a May article in The New York Times about how foreign companies were quietly submitting to security checks targeting encryption and data storage.
More broadly, the report doubles down on a cybersecurity law passed last month that raised concerns among human rights groups and foreign companies. While part of a broader effort to streamline internet regulations, the report is also a letter of intent for some of the next steps in enhancing its already strict controls on digital activity in the country.
Beijing has struggled to balance its goal of fostering innovation with its desire to keep control over a communication medium it believes could be destabilizing. While including boilerplate references to opening up, the report makes clear that the government will continue to err on the side of control for now.
In a section subtitled “Peace,” the report said that Beijing would work to get ahead of a global cybersecurity arms race threatening international peace. In another part, the regulator said that China would use military means if necessary to protect its internet sovereignty. China has said in the past that the internet represents a new realm, akin to space, in which it must assert its rulership rights.
The new report is the most clear signal yet of the government’s intent to crystallize those checks into a formal policy.
The document includes a long list of economic sectors that could be deemed sensitive, which could eventually mean that they would be required to use only computing equipment approved by regulators. They include energy, finance, traffic, education, research, industry, water management, manufacturing and health care, as well as communications systems and the internet.
To some degree, bringing the checks into the open would be welcome. Some people who were aware of the security checks on encryption and data storage complained that they were vaguely defined and treated as a secret. For foreign companies, that left open the possibility that they could be used to extract trade secrets or find weaknesses in products for state hackers.
Still, if China were to be more public about the checks, it could lead to copycat policies from other countries, analysts have said.
Drafts of proposed Chinese laws are typically released to domestic and foreign companies for comment. In this case, the reviews were carried out without any formal legislative process, meaning that companies had little room to push back.
