China strings up red tape barrier that shows businesses they're better off buying local tech

New rules let Beijing review purchases after pondering 'political, diplomatic, and trade factors' for up to three months

China has implemented new rules for buying tech equipment in a move to bolster the country's cybersecurity.

The new rules, announced yesterday by the Cyberspace Administration of China (CAC), requires "critical information infrastructure operators" to undergo a review for any tech products or services that "affect or may affect" national security".

Under the new rules, companies must submit procurement documents, purchase agreements, and an analysis of the deal's potential national security impact for government review before signing a contract. The review process is expected to take up to 45 working days, but may take up to three months to resolve in more complicated cases.

The regulation's wording says the Chinese government will consider "political, diplomatic, and trade factors" as part of any review.

The review will involve both "pre-examination" and, ominously, "continuous supervision". The CAC did not respond to The Register's request for clarification of just what those phrases mean.

An obvious consequence of the rules is that Chinese companies might buy local instead of putting themselves at risk of lengthy reviews. If many do so, it will be bad news for foreign tech companies. Many of those come from the USA, which is negotiating new trade arrangements with China after making it very hard for Chinese companies Huawei and ZTE to do business on its soil, or for Chinese companies to use American tech. Today the USA also shook its fist at four Chinese telcos.

Robyn Chatwood, a cybersecurity expert at law firm Dentons, argues that China's attempts to beef up its cybersecurity predate the trade tensions with the US. She points out that the new regulation replaces a set of 2017 trial measures from before the trade wars began, which called for reviews of "supply chain" and "security" risks in production, testing, delivery or technical support.

"The direction of travel in China is about data protection generally. You've certainly got that background context of the trade war," Chatwood said. "But I don't think the regulation is targeting anyone - it's just that the US dominates these areas so it impacts them the most heavily."

Jim Fitzsimmons, a director at cyber consultancy at Control Risks, agreed. "They were going to do this anyway," he said. "This is part of a bigger programme. The motivation behind all these things is how poor cybersecurity is in China. The government has identified this as a strategic risk and these are all the things they're trying to do to fix it."

He argued that China's policies are not so different from other countries'. "Any country when they think of their own [critical information infrastructure], they want to make sure they're doing the right thing around protecting and evaluating so they're not introducing risk to their system. But some countries are further down the road and more explicit. China is different in how it presents these things and put these things forward."

The Chinese government defines critical information infrastructure operators loosely to include energy, telecommunications, transportation, finance, defense, military, administrative management, as well as cloud computing, big data, and the Internet of Things.

The new policy comes into effect from June 1. The previous regulations can be found here. ®

Broader topics

Other stories you might like

  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • Russia, China warn US its cyber support of Ukraine has consequences
    Countries that accept US infosec help told they could pay a price too

    Russia and China have each warned the United States that the offensive cyber-ops it ran to support Ukraine were acts of aggression that invite reprisal.

    The US has acknowledged it assisted Ukraine to shore up its cyber defences, conducted information operations, and took offensive actions during Russia's illegal invasion.

    While many nations occasionally mention they possess offensive cyber-weapons and won't be afraid to use them, admissions they've been used are rare. US Cyber Command chief General Paul Nakasone's public remarks to that effect were therefore unusual.

    Continue reading
  • Proposed Innovation Act amendment would block US investment in China
    We're just astounded to see bipartisan efforts in Congress in this day and age

    A draft US law that would, for one thing, subsidize the US semiconductor industry, has gained an amendment that would turn the screws on American investments in foreign countries.

    The proposed update states that semiconductors, large-capacity batteries, pharmaceuticals, rare-earth elements biotech, AI, quantum computing, hypersonics, fintech and autonomous technologies are all included as sectors in which foreign investment would be limited, specifically in "countries of concern," or those considered foreign adversaries, like China. The amendment also would restrict construction investments and joint ventures that would involve sharing of IP and monetary rewards.

    US entities that have invested in a sector or country covered under the amendment would be required to notify the federal government, and the proposal also includes authorization for the executive branch to form an interagency panel responsible for reviewing and blocking foreign investments on national security grounds, the Wall Street Journal said of the amendment.

    Continue reading

Biting the hand that feeds IT © 1998–2022