China’s legislature approved its Cybersecurity Law this past November, solidifying China’s regulatory regime for cyberspace and potentially disrupting foreign companies that use or provide telecommunications networks in China. The law takes effect June 1, 2017, and reflects China’s desire for “cyber-sovereignty” (regulating the Internet in China according to national laws, despite the global nature of the World Wide Web). As the Chinese Communist Party (CCP) faces pressure from slowing economic growth and foreign influence, the Cybersecurity Law is one in a series of laws the Chinese government has implemented recently to uphold state security.
Significant Provisions of the Law
Though the wording of the law is vague, it formalizes many current practices and aims to consolidate cybersecurity authority under the Cybersecurity Administration of China. While the government is expected to offer more clarification on the law through implementation rules, how the law is played out in practice will be the ultimate indicator of the law’s severity. These three aspects of the law have the greatest potential to affect multinational companies (MNCs) doing business in China, according to an NACD analysis:
1. Data localization: Article 37 of the law is one of the most contentious and requires that “critical information infrastructure” (CII) operators store personal information and other important data they gather or generate in mainland China to be storedin mainland China. CII operators must have government approval to transfer this data outside the mainland if it’s “truly necessary.” The definition of CII is a catch-all, including public communication and information services, power, traffic, water, finance, public service, electronic governance, in addition to any CII that would impact national security if data were compromised.
Impact: The broad applicability of the CII definition raises the concern that any company using a telecommunications network to operate or provide services in China would be required to store data in mainland China, possibly even affecting those that store data to clouds with servers located outside mainland China.
2. Support for Chinese security authorities: Article 28 requires “network operators” to provide technical support to security authorities for the purposes of upholding national security and conducting criminal investigations. Network operators are broadly defined as those that own or administer computer information networks or are network service providers, which may include anyone operating a business over the Internet or networks.
Impact: The loose definition of “technical support” creates the concern that MNCs will be required to grant Chinese authorities access to confidential information, compromising private information and intellectual property that may be shared with state-owned competitors. Although not stated in the final version of the law, there is also the possibility that companies may be required to provide decryption assistance and backdoor access to authorities upon request.
3. Certified network equipment and products: For network operators, Article 23 indicates that “critical network equipment” and “specialized network security products” must meet national standards and pass inspection before they can be sold or supplied in China. A catalogue providing more specification on these types of products will be released by the government administrations handling cybersecurity. Under Article 35, CII operators are also required to undergo a “national security review” when purchasing network equipment or services that may affect national security.
Impact: Chinese companies and government agencies have historically relied on computer hardware and software manufactured by foreign companies, although this is now shifting in favor of domestic IT products. Opportunities for hacking and espionage put China at risk of losing sensitive information to foreign governments or companies, and China has already started conducting reviews of the IT security products used by the central levels of government. This provision of the Cybersecurity Law demonstrates China’s resolve to mitigate this risk and may pose a significant barrier to foreign IT equipment manufacturers selling products in China.
How Directors Can Prepare
China’s Cybersecurity Law has been criticized by the foreign business community, and, depending on the law’s implementation, it may make doing business in China for MNCs not only more complex but also riskier. Tom Manning, a China specialist at the University of Chicago Law School and director of Dun & Bradstreet, CommScope, and Clear Media Limited, advises boards to consider the effect of the Cybersecurity Law in the greater context of China’s rise: “The Chinese economy is increasingly more self-sufficient. Domestic companies are growing stronger and are more capable, while multinational companies are finding it more difficult to compete.”
Manning suggests boards conduct an overall China risk assessment, with the Cybersecurity Law as the focal point. While some companies may determine the risk of doing business in China is too high, Manning says, others might decide they need to invest more in China to be profitable. Ultimately, creating alliances with domestic firms, who have a greater influence over the government’s implementation of the law, may be key. “Leading domestic companies have a stake in seeing a better definition of the law, and their interests aren’t unaligned with multinational companies,” Manning says. “Chinese Internet companies can explain to the government how the law will affect their business models and be more effective in doing so than Western companies.”
Although how the law will be enforced remains to be seen, boards can consider the following questions when evaluating the impact of China’s Cybersecurity Law:
Are we storing information generated or gathered in mainland China on servers in mainland China? Do we need to create separate IT systems for China-specific data? Are we reliant on cross-border data transfers, and how would we approach this need with the Chinese government?
What is our risk exposure stemming from the potential loss of intellectual property or encryption information as a result of this law? How would our business be affected should our Chinese competitors gain access to this information?
For computer hardware or software manufactures, are we willing to share our source code with the Chinese government?
For technology firms, how does the law alter the playing field for our company to compete in China against domestic firms?
What additional investments do we need to make in order to comply with this law?
Assumptions about the geopolitical and regulatory environments are critical inputs into strategy-setting. If one or more assumptions prove invalid, the strategy and business model may require adjustment, and whether the organization is proactive or reactive is often a function of the effectiveness of its monitoring process. Protiviti recently met with 22 active directors during a dinner roundtable. The discussion revealed directors’ oversight concerns amid escalating geopolitical tensions and significant regulatory shifts.
The jury is still out regarding what the Trump administration and Congress can accomplish on major policy fronts. What has become evident is that there are many policy initiatives that could have significant impacts on business at home and globally. These initiatives include tax reform, fair trade, energy independence, immigration policy (including H-1B visas), infrastructure investment, employment and labor, and streamlining of governmental agencies, among others.
Regulatory shifts are also possible, including healthcare reform, dismantling Dodd-Frank, and a scaling-back of the Environmental Protection Agency. Regulations could be impacted by cutbacks at several agencies.
Some directors expressed concern over the short-termism of thinking inside the Beltway, as well as longer-term sustainability issues such as income inequality, student debt levels, and pay-for-performance. They also voiced concern about policy decisions that could create talent shortages.
What role does the board play in overseeing developments in policy and regulatory reform, and how often is the board briefed on fresh developments? How are significant geopolitical developments considered?
Several concepts for sound oversight were discussed.
1. A process is required to navigate the effects of policy, regulatory, and geopolitical shifts. This process should include monitoring legislative, regulatory, and global market developments through hiring insiders and consultants; tracking developments in published sources; monitoring geopolitical hot spots; and keeping close tabs on special interest groups. The process also entails engaging legislators, regulators, and policymakers through a variety of communications tactics, and continues with responses to new legislation and regulations through performing impact assessments, updating policies, and modifying existing and implements new processes and systems.
During the roundtable, several directors expressed concern about fair trade and risk of protectionist policies. The new administration appears to be committed to a reset of the North American Free Trade Agreement (NAFTA) and the Trans-Pacific Partnership. It is also focused on addressing trade issues with China. How these policy initiatives play out can significantly affect companies’ operations in or exports to these foreign markets and even transactions with suppliers in these markets.
2. Evaluate strategic assumptions. Every organization’s strategy has underlying explicit or implicit assumptions about the future that represent management’s “white swans,” or expectations about the regulatory environment and global markets. In these times of uncertainty, it makes sense for the board to assess the underlying strategic assumptions in light of likely policy actions by the executive or legislative branches that can impact the regulatory and geopolitical landscapes. If it’s possible that one or more assumptions might be rendered invalid, senior management should assess the ramifications to the strategy and business model.
3. Consider the implications of scenarios germane to the sectors in which the organization operates and prepare accordingly. Management should define plausible and extreme scenarios. The impact of various policy initiatives on the company’s markets, channels, customers, labor pool, supply chains, cost structure, discretionary spend, and business model should be considered. Scenario planning can be useful for formulating response and contingency plans. One major Japanese automaker spent three months following the 2016 election evaluating alternative scenarios resulting from Trump’s policies and their impact on U.S. and global sales. The company formulated contingency plans to pivot should a disruptive change occur, while also embracing the incoming administration as a market opportunity.
4. Prepare for more discretionary spending capacity. The Trump administration is looking to reduce the corporate tax rate significantly, make it easier for U.S. firms to repatriate profits earned and taxed abroad. It also seeks to eliminate the corporate alternative minimum tax and provide special deductions for firms engaged in domestic manufacturing. While these proposals have a long road to being passed, companies should consider how to deploy the hypothetical additional cash flow. Some examples include undertaking new investments, reigniting deferred projects, enhancing compensation to retain employees, and increase dividend rates, among other options.
5. Pay attention to sovereign risk. The primary objective of managing sovereign risk is to protect company investments from risks of impairment and sustain returns on investment (ROI). Investment impairments from confiscatory actions such as nationalization of the business or expropriation of assets may occur. ROI reductions may arise from discriminatory actions directed to the company, a targeted industry, or companies from certain countries in response to American policy. Actions could include additional taxation, price or production controls, and exchange controls. In addition, investment impairments and ROI reductions may occur due to circumstances such as violent political unrest or war. These risks must be addressed by understanding the driving forces of change in countries where the company does business and taking proactive steps to manage exposures.
When high risk of confiscation or discrimination emerges, your company might consider repatriation of cash to the extent allowed by controls and currency conditions. Look at managing down the investment by avoiding additional capital investments, cessation of inventory replenishment from abroad, and financing payroll and other operational functions through local cash flow. Initiating an exit by divesting assets is an option if a willing buyer is available. If necessary and feasible, moving tangible and nontangible assets out of harm’s way may be appropriate. Entering into joint ventures with local and foreign partners may reduce exposure to confiscation risk since the presence of nationals can take a multinational under the radar. If cost-effective, political risk insurance is another option covering the risks of confiscation, political violence, insurrection, civil unrest, and discrimination.
6. Diversify if revenue mix is dependent on government funding. Defense contractors can capitalize on defense spending and materials companies; heavy equipment manufacturers and construction contractors can focus on infrastructure spending opportunities. However, companies and nonprofit organizations with a high dependency on government contracts and federal funding may want to evaluate opportunities to deploy their core competencies in markets other than the public sector. It is not unreasonable to surmise that the new administration and the current Congress will restrain growth in budgets in areas that are not deemed a priority.
As priorities and policy direction become clearer over time, companies can firm up their responses to potential changes in the operating environment. Meanwhile, it is never too early to start thinking about alternatives. Directors should ensure that their companies’ boards are paying attention.
Dig into deeper insights from Protiviti by visiting their Board Perspectives piece on emerging geopolitical and regulatory challenges.
Undergraduate, graduate, and professional students of cybersecurity from around the world gathered earlier this year to participate in a cybersecurity competition that simulated the international policy challenges associated with a global cyberattack. While the goal was to practice sound policy decisions, the majority of competing teams unintentionally led the U.S. into starting an international war. Given a variety of diplomatic and other means of responding to cyberattacks, participants largely took the aggressive approach of hacking back in response to cyberattacks from China, and to disastrous consequences.
While the competition’s participants are all students today, they may well go on to be corporate directors and government leaders of tomorrow. Based on current debate about how organizations in the private sector should respond to cyberattacks, it seems the actions taken by these students may well be representative of a broader trend. In fact, there is enough of a push for organizations to be legally authorized to “hack back” that earlier this year a member of Congress proposed a bill to empower people “to defend themselves online, just as they have the legal authority to do during a physical assault.”
As a business leader, I believe this measure would do more harm than good.
What Is Hack Back?
Hack back, which is sometimes called counterstrike, is a term used to refer to an organization taking offensive action to pursue, and potentially subdue, cyberattackers that have targeted them. For the purposes of this article, I am specifically talking about action taken by private sector organizations that affects computers external to their own network. We are not discussing government actions, which tend to occur within existing legal frameworks and are subject to government oversight.
Hack back activities go beyond defensive measures that organizations may put in place to protect their environments. It is generally understood that hack back activities extend beyond the victim’s own network, systems, and assets, and may involve accessing, modifying, or damaging computers or networks that do not belong to the victim. Directors should note that today it is illegal under the Computer Fraud and Abuse Act for private parties to access or damage computer systems without authorization from the technology owners or an appropriate government entity, even if these systems are being used to attack you. That is what proponents of hack back want to change, and the proposed bill goes some way towards doing this.
The Case for “Self Defense”
In response to the legal restriction, proponents of a law to legalize hacking back at cyberattackers often argue that the same principle should apply as that which allows US citizens to defend themselves against intruders in their homes—even with violent force. While it may sound reasonable to implement equal force to defend a network, the Internet is a space of systems designed specifically for the purpose interacting and communicating. Technology and users are increasingly interconnected. As a result, it’s almost impossible to ensure that defensive action targeted at a specific actor or group of actors will only affect the intended targets.
The reality of the argument for hacking back in self-defense is unfortunately more akin to standing by your fence and lobbing grenades into the street, hoping to get lucky and stop an attacker as they flee. With such an approach, even if you do manage to reach your attacker, you’ll almost certainly cause terrible collateral damage. Can your organization afford to clean up such a mess? What would be the repercussions for your reputation and position in the marketplace?
Another significant challenge for private sector organizations looking to hack back is that, unlike governments, they typically do not have the large-scale, sophisticated intelligence gathering programs needed to accurately attribute cyberattacks to the correct actor. Attackers constantly change their techniques to stay one step ahead of defenders and law enforcement, including leveraging deception techniques. This means that even when there are indications that point to a specific attacker, it is difficult to verify that they have not been planted to throw off suspicion, or to incriminate another party.
Similarly, it is difficult to judge motivations accurately and to determine an appropriate response. There is a fear that once people have hack back in their arsenal, it will become the de facto response rather than using the broad range of options that exist otherwise. This is even more problematic when you consider that devices operating unwillingly as part of a botnet may be used to carry out an attack. These infected devices and their owners are as much victims of the attacker as the primary target. Any attempt to hack back could cause them more harm.
The Security Poverty Line
Should hack back be made a lawful response to a cyberattack, effective participation is likely to be costly, as the technique requires specialized skills. Not every organization will be able to afford to participate. If the authorization framework is not stringent, many organizations may try to participate with insufficient expertise, which is likely to be either ineffective or damaging, or potentially both. However, there are other organizations that will not have the maturity or budget to participate even in this way.
These are the same organizations that today cannot afford a great deal of in-house security expertise and technologies to protect themselves, and currently are also the most vulnerable. As organizations that do have sufficient resources begin to hack back, the cost of attacking these organizations will increase. Profit-motivated attackers will eventually shift towards targeting the less-resourced organizations that reside below the security poverty line, increasing their vulnerability.
A Lawless Land
Creating a policy framework that provides sufficient oversight of hack-back efforts would be impractical and costly. Who would run it? How would it be funded? And why would this be significantly more desirable than the status quo? When the U.S. government takes action against attackers, they must meet a stringent burden of proof for attribution, and even when that has been done, there are strict parameters determining the types of targets that can be pursued, and the kind of action that can be taken.
Even if such a framework could be devised and policed, there would still be significant legal risks posed to a variety of stakeholders at a company. While the Internet is a borderless space accessed from every country in the world, each of those countries has their own legal system. Even if an American company was authorized to hack back, how could you ensure your organization would avoid falling afoul of the laws of another country, not to mention international law?
What Directors Can Do
The discussion around hacking back so far has largely been driven by hyperbole, fear, and indignation. Feelings of fear and indignation are certainly easy to relate to, and as corporate directors, powerlessness does not sit well with us. It is our instinct and duty to defend our organizations from avoidable harm.
The potential costs of a misstep or unintended consequences from hack back should deter business leaders from undertaking such an effort. If another company or a group of individuals is affected, the company that hacked back could see themselves incurring expensive legal proceedings, reputational damage, and loss of trust by many of their stakeholders. Attempts to make organizations exempt from this kind of legal action are problematic as it raises the question of how we can spot and stop accidental or intentional abuses of the system.
It’s one thing for students to unintentionally trigger war in the safe confines of a competitive mock scenario, and another thing entirely to be the business leader that does so in the real world. Directors of companies must instead work together to find better solutions to our complex cybersecurity problems. We should not legitimize vigilantism, particularly given the significant potential risks with dubious benefits.
Corey Thomas is CEO of Rapid7. All opinions expressed here are his own.