China Expands Its Cybersecurity Rulebook, Heightening Foreign Corporate Concerns

By Shan Li (Wall Street Journal)

Oct. 5, 2018 8:15 a.m. ET

Another wave of regulations is likely to compound a chilling effect among foreign firms with Chinese operations

BEIJING—New cybersecurity rules will give Chinese authorities sweeping powers to inspect companies’ information technology and access proprietary information—steps that are likely to deepen concerns among foreign businesses about their China operations.

Starting Nov. 1, police officers will have the authority to physically inspect businesses and remotely access corporate networks to check for potential security loopholes, according to the regulations released Sunday by the Public Security Ministry. Police will also be authorized to copy information and inspect records that “may endanger national security, public safety and social order,” the rules said.

The regulations flesh out some of the broad powers that regulators were granted last year in an expansive cybersecurity law, according to William Nee, an analyst at Amnesty International: “It strengthens the state’s authority to inspect and requires that internet service providers and companies using the internet are fully complying with the government’s cybersecurity prerogatives.”

The cybersecurity law mandates security checks of technology products supplied to the Chinese government and to critical industries such as banking and telecommunications. It also requires companies to store data in China.

Foreign businesses have criticized the law, saying that Beijing could use it to force the disclosure of source codes and other corporate secrets to prove their equipment was secure, and then potentially leak the information to domestic competitors.

Many businesses have sought to comply with Beijing’s tightening cybersecurity requirements to maintain access to the Chinese market. Microsoft Corp. has opened what it calls a “transparency center” in Beijing where officials can test its products for security. Apple Inc. has started building a data center in the southwestern province of Guizhou to comply with rules requiring cloud data from Chinese customers be stored in China.

The new regulations also reinforce requirements on censorship and surveillance laid out in the cybersecurity law. Companies will be held responsible for allowing prohibited information to circulate online, and internet operators must also provide “technical support” to authorities during national-security or criminal investigations.

These new rules will do nothing to assuage the foreign companies’ worries about about the security of their proprietary information, said William Zarit, chairman of the American Chamber of Commerce in China, a trade group.

The regulations grant authorities access to any information related to cybersecurity--a category so broadly defined as to include just about everything, he said.

“It justifies for the authorities the right to basically copy or access anything,” Mr. Zarit said. “It doesn’t seem like companies have a choice.”

Write to Shan Li at shan.li@wsj.com