The Chinese government has been busy. Last year, it unveiled a new cybersecurity law known as the Cybersecurity Muti-Level Protection Scheme (MLPS 2.0). The law, which went into effect in December, effectively means the government has unrestricted access to all data within the country, whether it’s being stored on Chinese servers or transmitted through Chinese networks.
“There will be no secrets,” writes Steve Dickinson on the China Law Blog. “No VPNs. No private or encrypted messages. No anonymous online accounts. No confidential data. Any and all data will be available and open to the Chinese government….there will be no place for foreign-owned companies to hide.”
Yes, it is that bad...
It’s exactly as bad as it sounds, and it gets worse. The MLPS 2.0 is supported by two additional pieces of legislation, both of which strip away any protections, safeguards, and loopholes that might once have been used to maintain the sanctity of corporate data. Both went into effect at the beginning of this month.
The first is a new Foreign Investment Law which, as Dickinson notes, treats foreign investors exactly the same as Chinese investors. Although this has been billed as a means of simplifying the investment process, in practice it strips foreign investors of many of the rights they previously enjoyed. Areas of the market previously closed to foreign companies will remain closed.
The second, as reported by Engadget, establishes a new set of guidelines surrounding encryption. Again, on the surface, these seem like they were proposed with the common good in mind. It’s only on closer examination that cracks start to appear.
Under the new cryptography law, the development, sale, and use of cryptographic systems “must not harm the state security and public interests.” Further, cryptographic systems that are not “examined and authenticated” are also illegal. In short, if your business tries to shield information from the government, you can and will be punished.
What’s more, if your data center uses a Chinese-owned software service, for instance, all data stored and managed by that service can be seized. That includes trade secrets, financial information, and more. Similarly, if you maintain any assets within the country, you do not have full control over them; they can be seized by the government at any time and with minimal justification.
As noted by technology publication TechNode, data localization requirements included in this new legislation are also actively harmful towards cloud security. Citing a report by the Asia Cloud Computing Association, TechNode explains that where data is stored is less important than how it is stored. As such, localization does precious little to protect sensitive information, while simultaneously creating easily-targetable ‘gold mines’ of data that hackers can exploit at their leisure.
Writing on the wall
Anyone who didn’t see this coming hasn’t been paying attention. China has never been shy about its disregard for privacy and data security. These new regulations are simply a formalization of what has long been the norm within the country.
But that doesn’t make them any less problematic, particularly for data centers.
At this point, we really only have two options:
- The first is to simply stop doing business in China, including through partnerships. With luck, if enough companies follow that route, it might pressure the Chinese government into rescinding the legislation.
- The second is to simply accept reduced privacy and security as the cost of doing business.
I’d like to think that we’ll take a stand and go with option one. Sadly, however, the latter is the route most will likely take. Because for many, that cost outweighs the benefits.