China to impose security check on infrastructure IT procurement

BEIJING — China will next month require operators of public infrastructure such as telecommunications and transport to undergo a security review of their suppliers when they procure servers and other information technology equipment.

The requirement is aimed at preventing disruptions in the supply of IT equipment as a result of political, diplomatic and other developments, according to the Chinese government. But foreign companies may be shut out of procurement as a result.

The government also plans to limit the use of customer data by foreign companies as it is reinforcing its “China first” policy at a time when U.S. President Donald Trump is lashing out at China more strongly than ever.

China will put a new law into force on June 1 under its Cybersecurity Law in force since 2017. It will require telecommunications, transport, finance and other public infrastructure operators planning to procure IT equipment to submit contracts and results of analyzed risks, including those related to national security, to the government for prior examination.

Although the details of the examination are unknown, the government said it will check the risk of supply disruptions caused by political, diplomatic and trade issues.

The new law will apply to companies managing information on public infrastructure indispensable for the people’s daily lives, such as telecom and information services, energy, traffic, finance and public services. Devices and services subject to the review will include personal computers, servers, network equipment and cloud services.

Foreign tech giants operating in China like HP and Dell Technologies could find themselves being excluded from the list of eligible suppliers for Chinese infrastructure companies. Some observers say Japanese companies will also be subject to the new restrictions.

The new rules requiring companies buying networking products to perform cybersecurity evaluations for vulnerabilities that could affect national security, to be introduced in June, will basically cover hardware. But China plans to impose similar regulatory control over data. Beijing may start implementing administrative regulations related to the Cybersecurity Law to protect sensitive data and personal information.

The regulations will set basic rules concerning how businesses should deal with personal data obtained in China and restrict the transfer of such data overseas.

The measures may ban foreign companies operating in China from transferring their customer information out of China without obtaining permission from authorities or require them to submit such information when requested. That means foreign companies will probably have to create special information infrastructure for their Chinese operations separate from the systems used by their headquarters at home.

Chinese President Xi Jinping’s administration is clearly stepping up its efforts to develop unique homegrown supply chains for both IT equipment and data.

Under its “Made in China 2025” policy initiative, unveiled in 2015, the Xi administration pledged to promote domestic production of IT products, while the Cybersecurity Law has established guiding principles for restricting foreign companies’ use of data acquired in China.

The coronavirus pandemic is negatively affecting global supply chains. If China shuts out U.S. companies by tightening restrictions on procurement of information communications and data, it could further intensify anti-Chinese sentiment in the U.S. It could also affect the outcome of the U.S. presidential election in terms of the China policy of President Donald Trump, who is becoming increasingly critical of the country.

Source Article