mof

o.co

m

Lunch & Learn: Recent Challenges for International

Technology Companies in China

19 January 2015 Presented By

Paul McKenzie and Gordon Milner

2

Lunch & Learn

• 2nd Monday of each month

• 45 minutes via webinar

• Unaccredited CPD points

• Upcoming topics

• Monday, 9 February 2015: “Anti-corruption Compliance: Minimizing the Supply Chain Risk” Speakers: Alistair Maughan & Kevin Roberts

• Monday, 9 March 2015: “Drafting Effective Arbitration & Dispute Resolution Agreements” Speaker: Gemma Anderson

Today

• Questions at the end. Or e-mail us afterwards.

•Phones are muted to reduce background noise. •We’ll unmute at the end.

mof

o.co

m

Background

5

Background – 2011-2013 • March, 2011: China’s National People’s Congress approves 5 Year

Plan • Sets information security as key priority for 2011-2015; domestic control of

hardware and software

• May, 2011: State Internet Information Office set up • October, 2012: US congressional report on national security risks

posed by Huawei • January, 2013: China’s National Information Security Standards

Technical Committee (TC260) includes in annual workplan to support information security review process

• June 2013: Snowden disclosures

6

Background – 2014 • January, 2014: Xi sets up Cybersecurity Administration of China

(CAC) –through restructuring of SIIO • May 2014:

• US indictment of PLA officers • Market rumour that SOEs told not to use US IT consulting firms • Healthcare measures reference national cybersecurity review regime • Windows 8 banned from GP market • CAC announces coming cybersecurity review rules

• August 2014: • Symantec, Kaspersky “banned” from China GP market • Ministry of Industry and Information Security (MIIT) issues Guiding Opinions

7

Why now? •Media revelations on activities of security services

Snowden disclosures seem to have accelerated Chinese efforts and made Chinese government more vocal

•‘Tit for tat’

Huawei / ZTE challenges in US market PLA indictments

•Emergence of local heroes

Development of domestic IT companies has made China less dependent on foreign IT. And yet….

mof

o.co

m

Existing Regime

9

Existing Regime • Heavy media focus on potential new laws • But current action taken under existing statutory regime • Existing patchwork of laws, regulations and measures issued by

various overlapping authorities including: • Cybersecurity Administration of China (CAC) • Ministry of Public Security (MSP) / Public Security Bureau (PSB) • China Information Security Center (CISSC) • State Cryptography Administration (SCA)

• Regulations on the Protection of Computer Information Systems (PCIS Regulations) issued in 1994 provide key framework

10

Administrative Measures for the Graded Protection of Information Security

• Issued under the PCIS Regulations by MPS in 2007 • Applies to company’s own computer systems • Establishes five grades of information systems based on potential

damage a failure could cause • Different grades have different consequences:

• Grade 2+ require assessment of risk against national standards and filings with PSB • Grade 3+ products need PRC domestic producer and IP rights, declaration of no

back doors, and regular inspections by authorized agency

• Examples of impact: • Intrusive inspection requests by PSB • Chinese entities requiring suppliers to provide source code

11

Measures on the Administration of Product Testing and Sales Permit of Computer Information System Security Special Products

• Issued under the PCIS Regulations by MPS in 1997 • Covers hardware and software (“Security Products”) used for:

• Physical Security • Operational Security • Information Security

• China producer or distributor must apply for per product sales permit • Requires submission of product for testing by Chinese lab • Need to retest whenever security functions change

• Sale without permit is unlawful • Inclusion of “any harmful data which endangers security of information systems”

may be a criminal offence

• Easy to miss compliance for non-core functionality and addons

12

Notice on Establishing the National Information Security Product Certification and Accreditation System

• Issued by CISCC and other regulators in 2004 • Covers13 types of product, including:

• firewalls • backup • intrusion detection

• Overlaps with MPS Security Products Measures • But technically distinct regime

• Must be certified by CISCC before sale in China • Technically applies to all sales

• But no penalties and historically only enforced in Government tendering

mof

o.co

m

New Laws

14

Guiding Opinions on Strengthening Network Security in the Telecommunications and Internet Sectors

• Issued by MIIT, September 1, 2014 • Calls for strengthening of network security, including through

enhanced enforcement of 2010 Measures • Calls for promotion of use of secure and controllable hardware and

software • Encourages establishment of network security certification systems

15

Guiding Opinions regarding Application of Secure and Controllable Information Technologies to Strengthen Network Security and Informization of Banking Sector

•Issued by CBRC, MIIT, NDRC, MOST, September 3, 2014 •Priority to “secure and controllable information technologies” in processing sensitive customer data. Initial focus on network equipment, storage, middle-end and low-end servers, information security, maintenance services and word processing software •Sets goals for individual banks in use of secure and controllable technologies: 15% in 15%; 75% in 2019 •Calls for establishment of cyber security review standards for banking sector •The Guiding Opinions include general language encouraging indigenous innovation, without providing detail as to how it will be encouraged. At the same time they call for “open cooperation”

16

DRAFT Information Security Techniques – Basic Requirements Of Security For Cloud Computing Service Provider Of Government Department

• Issued by GAQSIQ and SAC, July 2012 • Applies to provision of cloud computing services to government

procurement market • Sets out various requirements for service providers, including:

• must be locally incorporated • must have passed information security certification • data processing, transmission and storage must be undertaken in China

• Stipulates various conditions that must be met by the security technology utilized in provision of cloud services

17

Other developments (1) • Administrative Measures on Management of Population Health Information,

issued May, 2014 by National Health and Family Planning Commission • Requires products utilized in healthcare IT systems to comply with the “national

cybersecurity review regime”

• Security Code of Conduct for Information Security Technology of Information Technology Products Suppliers for Information Technology Products, issued by TC260 for comment, spring 2014

• Draft Self-discipline Convention on Safeguarding User's Network Security by Information Technology Product Suppliers, distributed December 2, 2014 by TC260 and CISCC

• Limits scope of remote control; requires that users be given ability to disable • Prohibits inclusion of backdoor “covert interfaces” • Calls for testing of functions such as data collection and remote control functions in

appropriate cases

18

Other developments (2) • Cybersecurity review regime

• Alluded to in various regulations and government pronouncements • May 22, 2014 news broadcast by SIIO officials describing basic parameters: focus

on data security and controllability of key IT. • November 27, 2014: SIIO head comments that the cybersecurity review system

will be announced “soon” – likely not a single document but a system with elements that include legal provisions, policies, national standards and a bureaucratic organization.

• January 19, 2015: SIIO official comments at an industry meeting that cybersecurity review measures will be submitted for government review in February.

mof

o.co

m

Strategies

20

Things to Consider • Business as usual?

• Review existing business practices and products for compliance • Even without new legislation, BAU may not be advisable

• Remote access functionality • Query whether to include/disable?

• Avoid discriminatory pricing practices

• Be prepared to disclose • Builds trust • Will likely be necessary under new Cybersecurity rules • Consider PRC specific code base

21

Structuring Strategies • Go local

• Establish a local presence and employ staff in China • Set up in Free Trade Zone?

• Show “skin in the game” • Simple absentee licensee model becoming less viable • Joint ventures with customers • Joint ventures with local partners

• Work with strategic SOEs? • Operational Partners • Investment Partners • Strategic Partners

22

‘Marketing’ Strategies • Emphasize the long haul • Focus on “China problems”

• Or at least market yourself as such • GE

• Differentiate yourself from the local heroes • Bring higher tier technologies to China

• Local branding?

23

Protect Your IP Protecting disclosed IP: • Patents •Difficult to obtain software patents in China •Consider utility model patents for physical devices

• Copyright Registration? •Filing with China Copyright Protection Center (CPCC) •Voluntary not mandatory •Provides key procedural advantages •Rather bureaucratic and cumbersome procedure •Historically not heavily used due to concerns over disclosure, but…

24

Any questions?

25

Lunch & Learn Paul D. McKenzie Managing Partner, Beijing Corporate Practice T: +86 (10) 59093366 E: PMcKenzie@mofo.com Gordon A. Milner Partner, Hong Kong Technology Transactions Practice T: +852 25850808 E: GMilner@mofo.com

• Monday, 9 February 2015: “Anti-corruption Compliance: Minimizing the Supply Chain Risk” Speakers: Alistair Maughan & Kevin Roberts

• Monday, 9 March 2015: “Drafting Effective Arbitration & Dispute Resolution Agreements” Speaker: Gemma Anderson