Lunch & Learn: Recent Challenges for International Technology Companies in China 19 January 2015 Presented By Paul McKenzie and Gordon Milner mofo.com
Lunch & Learn 2 nd Monday of each month 45 minutes via webinar Unaccredited CPD points Upcoming topics Monday, 9 February 2015: Anti-corruption Compliance: Minimizing the Supply Chain Risk Speakers: Alistair Maughan & Kevin Roberts Monday, 9 March 2015: Drafting Effective Arbitration & Dispute Resolution Agreements Speaker: Gemma Anderson 2
Today Questions at the end. Or e-mail us afterwards. Phones are muted to reduce background noise. We ll unmute at the end.
Background mofo.com
Background 2011-2013 March, 2011: China s National People s Congress approves 5 Year Plan Sets information security as key priority for 2011-2015; domestic control of hardware and software May, 2011: State Internet Information Office set up October, 2012: US congressional report on national security risks posed by Huawei January, 2013: China s National Information Security Standards Technical Committee (TC260) includes in annual workplan to support information security review process June 2013: Snowden disclosures 5
Background 2014 January, 2014: Xi sets up Cybersecurity Administration of China (CAC) through restructuring of SIIO May 2014: US indictment of PLA officers Market rumour that SOEs told not to use US IT consulting firms Healthcare measures reference national cybersecurity review regime Windows 8 banned from GP market CAC announces coming cybersecurity review rules August 2014: Symantec, Kaspersky banned from China GP market Ministry of Industry and Information Security (MIIT) issues Guiding Opinions 6
Why now? Media revelations on activities of security services Snowden disclosures seem to have accelerated Chinese efforts and made Chinese government more vocal Tit for tat Huawei / ZTE challenges in US market PLA indictments Emergence of local heroes Development of domestic IT companies has made China less dependent on foreign IT. And yet. 7
Existing Regime mofo.com
Existing Regime Heavy media focus on potential new laws But current action taken under existing statutory regime Existing patchwork of laws, regulations and measures issued by various overlapping authorities including: Cybersecurity Administration of China (CAC) Ministry of Public Security (MSP) / Public Security Bureau (PSB) China Information Security Center (CISSC) State Cryptography Administration (SCA) Regulations on the Protection of Computer Information Systems (PCIS Regulations) issued in 1994 provide key framework 9
Administrative Measures for the Graded Protection of Information Security Issued under the PCIS Regulations by MPS in 2007 Applies to company s own computer systems Establishes five grades of information systems based on potential damage a failure could cause Different grades have different consequences: Grade 2+ require assessment of risk against national standards and filings with PSB Grade 3+ products need PRC domestic producer and IP rights, declaration of no back doors, and regular inspections by authorized agency Examples of impact: Intrusive inspection requests by PSB Chinese entities requiring suppliers to provide source code 10
Measures on the Administration of Product Testing and Sales Permit of Computer Information System Security Special Products Issued under the PCIS Regulations by MPS in 1997 Covers hardware and software ( Security Products ) used for: Physical Security Operational Security Information Security China producer or distributor must apply for per product sales permit Requires submission of product for testing by Chinese lab Need to retest whenever security functions change Sale without permit is unlawful Inclusion of any harmful data which endangers security of information systems may be a criminal offence Easy to miss compliance for non-core functionality and addons 11
Notice on Establishing the National Information Security Product Certification and Accreditation System Issued by CISCC and other regulators in 2004 Covers13 types of product, including: firewalls backup intrusion detection Overlaps with MPS Security Products Measures But technically distinct regime Must be certified by CISCC before sale in China Technically applies to all sales But no penalties and historically only enforced in Government tendering 12
New Laws mofo.com
Guiding Opinions on Strengthening Network Security in the Telecommunications and Internet Sectors Issued by MIIT, September 1, 2014 Calls for strengthening of network security, including through enhanced enforcement of 2010 Measures Calls for promotion of use of secure and controllable hardware and software Encourages establishment of network security certification systems 14
Guiding Opinions regarding Application of Secure and Controllable Information Technologies to Strengthen Network Security and Informization of Banking Sector Issued by CBRC, MIIT, NDRC, MOST, September 3, 2014 Priority to secure and controllable information technologies in processing sensitive customer data. Initial focus on network equipment, storage, middle-end and low-end servers, information security, maintenance services and word processing software Sets goals for individual banks in use of secure and controllable technologies: 15% in 15%; 75% in 2019 Calls for establishment of cyber security review standards for banking sector The Guiding Opinions include general language encouraging indigenous innovation, without providing detail as to how it will be encouraged. At the same time they call for open cooperation 15
DRAFT Information Security Techniques Basic Requirements Of Security For Cloud Computing Service Provider Of Government Department Issued by GAQSIQ and SAC, July 2012 Applies to provision of cloud computing services to government procurement market Sets out various requirements for service providers, including: must be locally incorporated must have passed information security certification data processing, transmission and storage must be undertaken in China Stipulates various conditions that must be met by the security technology utilized in provision of cloud services 16
Other developments (1) Administrative Measures on Management of Population Health Information, issued May, 2014 by National Health and Family Planning Commission Requires products utilized in healthcare IT systems to comply with the national cybersecurity review regime Security Code of Conduct for Information Security Technology of Information Technology Products Suppliers for Information Technology Products, issued by TC260 for comment, spring 2014 Draft Self-discipline Convention on Safeguarding User's Network Security by Information Technology Product Suppliers, distributed December 2, 2014 by TC260 and CISCC Limits scope of remote control; requires that users be given ability to disable Prohibits inclusion of backdoor covert interfaces Calls for testing of functions such as data collection and remote control functions in appropriate cases 17
Other developments (2) Cybersecurity review regime Alluded to in various regulations and government pronouncements May 22, 2014 news broadcast by SIIO officials describing basic parameters: focus on data security and controllability of key IT. November 27, 2014: SIIO head comments that the cybersecurity review system will be announced soon likely not a single document but a system with elements that include legal provisions, policies, national standards and a bureaucratic organization. January 19, 2015: SIIO official comments at an industry meeting that cybersecurity review measures will be submitted for government review in February. 18
Strategies mofo.com
Things to Consider Business as usual? Review existing business practices and products for compliance Even without new legislation, BAU may not be advisable Remote access functionality Query whether to include/disable? Avoid discriminatory pricing practices Be prepared to disclose Builds trust Will likely be necessary under new Cybersecurity rules Consider PRC specific code base 20
Structuring Strategies Go local Establish a local presence and employ staff in China Set up in Free Trade Zone? Show skin in the game Simple absentee licensee model becoming less viable Joint ventures with customers Joint ventures with local partners Work with strategic SOEs? Operational Partners Investment Partners Strategic Partners 21
Marketing Strategies Emphasize the long haul Focus on China problems Or at least market yourself as such GE Differentiate yourself from the local heroes Bring higher tier technologies to China Local branding? 22
Protect Your IP Protecting disclosed IP: Patents Difficult to obtain software patents in China Consider utility model patents for physical devices Copyright Registration? Filing with China Copyright Protection Center (CPCC) Voluntary not mandatory Provides key procedural advantages Rather bureaucratic and cumbersome procedure Historically not heavily used due to concerns over disclosure, but 23
Any questions? 24
Lunch & Learn Paul D. McKenzie Managing Partner, Beijing Corporate Practice T: +86 (10) 59093366 E: PMcKenzie@mofo.com Gordon A. Milner Partner, Hong Kong Technology Transactions Practice T: +852 25850808 E: GMilner@mofo.com Monday, 9 February 2015: Anti-corruption Compliance: Minimizing the Supply Chain Risk Speakers: Alistair Maughan & Kevin Roberts Monday, 9 March 2015: Drafting Effective Arbitration & Dispute Resolution Agreements Speaker: Gemma Anderson 25