Beyond tariffs: China could retaliate through cybersecurity
Published 05 April 2018
China’s cybersecurity law can be used as a form of “backdoor” trade retaliation to hurt US firms in China.
“Why are we only making slogans?”
As the Trump administration prepares a series of trade actions and investment restrictions against China, Beijing has signaled its intention to respond. The Chinese government has already announced tariffs on US imports of pork, scrap aluminum, wine and fruit, but there is still much uncertainty about what additional form Chinese retaliation could take.
There are credible rumors of Beijing drawing up lists of US companies with strong domestic competitors that it would block from the Chinese market (however, there is no publicly available information on this). Chinese media is awash with nationalist calls for a tougher stance against the United States. One user posted: “The US had already declared a war. Why we were only making slogans?”
If — or when — negotiations break down
Both sides are engaged in negotiation that could result in a deal. There is a strong case to be made that the Chinese government will not change behavior absent external pressure. After all, it was the threat of sanctions against Chinese companies ahead of President Xi Jinping’s state visit to Washington in September 2015 that paved the way for the agreement on cyber-enabled industrial espionage. (Although the deal does not appear to be holding up.)
Yet if negotiations break down, and we enter a period of extended hostility, retaliation from Beijing will go beyond retaliatory tariffs. The Chinese government has other — more opaque and unwritten — channels to employ against US firms with significant assets in China’s market. Specifically, China’s cybersecurity law can be used as a form of “backdoor” trade retaliation by opening up a number of informal tools to hurt US firms in China.
Indeed, the very existence of these informal tools lies at the heart of the systemic problems that the Trump administration is seeking to address, from security audits that put intellectual property at risk to using cybersecurity to advance industrial policies. The Trump administration is correct to address these issues. But in doing so, it also must have a clear understanding about the consequences of its style of confrontation and where, specifically, there will be additional costs beyond US or Chinese tariffs.
“Backdoor” retaliation via China’s cybersecurity laws
To minimize loss in trade conflicts, the World Trade Organization set up the principle that trade retaliation should be proportionate and public. Yet, below are just three “backdoor” retaliation tools China could deploy where the tech sector would bear the brunt of a protracted US-China trade war, and that allow China to avoid the appearance of directly confronting US trade actions:
Black box cybersecurity reviews: In the information communications technology (ICT) sector, US companies with domestic Chinese counterparts may see licenses canceled or denied under various cybersecurity reviews and certifications. There are at least six different cybersecurity reviews that the government could use to delay or block market access. The reviews are essentially a “black box,” because we do not know what they entail and what is required to pass them. Reviews are conducted at multiple levels of the bureaucracy without visibility into criteria, which allows Beijing to wreak havoc on US company operations.
Hardline interpretation of ambiguous rules in China’s cybersecurity law: Some of the more concerning provisions in China’s cybersecurity law (for example, data localization, onerous rules for critical information infrastructure) are written broadly, leaving space for interpretation when it comes to how they will be implemented. To be sure, many US companies already are preparing for conservative readings of these provisions in their operations in China and have found the Chinese side less than responsive in channels for engagement on these topics. Undefined terms in the cybersecurity law such as “important data” and “critical information infrastructure” could become tools to hold up licenses and approvals.
Meanwhile, there are a number of ongoing bilateral dialogues that have become important channels for gaining such clarifications that could now come to a halt. In some cases, Chinese domestic industry has been an important ally to US companies on pending regulatory issues, despite being competitors. These local champions could become less helpful to US partners as trade tensions spill over to affect the broader bilateral relationship, particularly if these Chinese companies are blocked from the United States in a cycle of retaliation.
Encryption requirements: Beijing has a draft encryption law currently in the legislative process. If enacted and enforced, the law could be interpreted to require only preapproved domestic encryption products — a redline for many foreign companies in China. This has been a regulatory gray zone for years, and the Chinese government recognizes that enforcement would come at too high a cost for the foreign firms that, until now, the government wanted to stay in the market. An exemption in the current regulation allows companies to apply for approval to use foreign-produced commercial encryption products. But in a trade war, all bets are off.
The draft law include decryption demands when national security is involved, on-site inspections to access data and seize equipment, and a national security review for certain kinds of encryption products and services. US companies have expressed concern over these requirements. If enacted, the law would significantly strengthen enforcement powers of China’s State Cryptography Administration through expanded government supervision and access under China’s first-ever uniform encryption regime. Since the rules for this new regime are still being written, they can easily become another “backdoor” tool.
Why the approach to confrontation with China matters
It is telling that a March 22 report issued by the Office of the US Trade Representative paid far less attention to China’s cybersecurity law than it did to China’s “Made in China 2025” policy. Since so much of the law is still pending clarification from Chinese authorities, it is understandable that the report did not go into much detail about its practical effects. Yet, the cursory treatment of the cybersecurity law and its broader framework in the report underscores how the Trump administration’s approach is not calibrated to solve these challenges and could make them worse.
While a quick deal with Beijing will reduce escalation risks, it is more likely that the outcome of negotiation would be a symbolic win for the Trump administration without addressing these deeper challenges impacting all ICT and the digital trade.
For a detailed discussion of cybersecurity audits and their practical implications, read chapter 6 entitled, Beijing’s Cyber Governance System, in the recent CSIS report, Meeting the China Challenge.