There was a piece in Fortune today that made me laugh out loud, and not because it was funny. China is finally getting resistance to its cyber terrorism "draft legislation" [ as the Fortune article called it -http://fortune.com/2016/08/17/china-cybersecurity-law-foreign-business/] that was being enforced 5 years ago. When I testified on the Hill, the entire first session of our Committee was on this legislation, and that was over a year ago. They call it draft until it suits them, but enforce it anyway while they bring more companies in. It is laughable to call a policy that has been enforced for so long "draft".
Not that I'm not glad to see a few businesses putting up a fuss about it, but they should have done it years ago. Companies that operate in China have often given in to Chinese demands under the pretext that "it's the law". That means if we passed a law that said all Chinese companies that operate in the US must turn over their source code and encryption mechanisms so we can allow NSA to be able to view their internal communications - just in case we have terrorists in those companies - that would be OK to the Chinese companies. Rediculous. They would be pounding on the doors of every Congressman on the Hill.
More than that, the article quotes an official response to Reuters from the Chinese government that basically says "don't worry about this because it is just for a few select companies". They are trying to negotiate on the fly with the most restrictive business policy ever drafted for data control. They keep this policy intentionally vague (another complaint from businesses) and hope businesses will voluntarily comply with a law that is called a "draft". Still, they won't back down, though they may move a step back until their position is consolidated and they have what they want. They are known for backing off, but always coming back with a new, more palatable version of the same thing.
What that response to Reuters also says was "every country does this." Not even close. China's biggest trading partners do not. Some countries other than those, do demand access to networks as a condition of operating in their country. That is not the same thing. Some countries demand services be unencrypted, but the majority do not. Some countries demand a man-in-the-middle but most countries don't operate in those places unless they have to. Not only does everyone not do it, but even those who do are criticized for it. They deserve the criticism they are getting.
I see this as a good sign that Boards of Directors are finally looking at the government's stance on data security - in places other than the U.S which is not stealing its proprietary data, building enterprises to compete with them, making it more difficult to operate in competition with state-owned or controlled entities, and thumbing their noses at any company that objects. Amen to that.
No comments:
Post a Comment