China’s legislature approved its Cybersecurity Law this past November, solidifying China’s regulatory regime for cyberspace and potentially disrupting foreign companies that use or provide telecommunications networks in China. The law takes effect June 1, 2017, and reflects China’s desire for “cyber-sovereignty” (regulating the Internet in China according to national laws, despite the global nature of the World Wide Web). As the Chinese Communist Party (CCP) faces pressure from slowing economic growth and foreign influence, the Cybersecurity Law is one in a series of laws the Chinese government has implemented recently to uphold state security.
Significant Provisions of the Law
Though the wording of the law is vague, it formalizes many current practices and aims to consolidate cybersecurity authority under the Cybersecurity Administration of China. While the government is expected to offer more clarification on the law through implementation rules, how the law is played out in practice will be the ultimate indicator of the law’s severity. These three aspects of the law have the greatest potential to affect multinational companies (MNCs) doing business in China, according to an NACD analysis:
1. Data localization: Article 37 of the law is one of the most contentious and requires that “critical information infrastructure” (CII) operators store personal information and other important data they gather or generate in mainland China to be storedin mainland China. CII operators must have government approval to transfer this data outside the mainland if it’s “truly necessary.” The definition of CII is a catch-all, including public communication and information services, power, traffic, water, finance, public service, electronic governance, in addition to any CII that would impact national security if data were compromised.
Impact: The broad applicability of the CII definition raises the concern that any company using a telecommunications network to operate or provide services in China would be required to store data in mainland China, possibly even affecting those that store data to clouds with servers located outside mainland China.
2. Support for Chinese security authorities: Article 28 requires “network operators” to provide technical support to security authorities for the purposes of upholding national security and conducting criminal investigations. Network operators are broadly defined as those that own or administer computer information networks or are network service providers, which may include anyone operating a business over the Internet or networks.
Impact: The loose definition of “technical support” creates the concern that MNCs will be required to grant Chinese authorities access to confidential information, compromising private information and intellectual property that may be shared with state-owned competitors. Although not stated in the final version of the law, there is also the possibility that companies may be required to provide decryption assistance and backdoor access to authorities upon request.
3. Certified network equipment and products: For network operators, Article 23 indicates that “critical network equipment” and “specialized network security products” must meet national standards and pass inspection before they can be sold or supplied in China. A catalogue providing more specification on these types of products will be released by the government administrations handling cybersecurity. Under Article 35, CII operators are also required to undergo a “national security review” when purchasing network equipment or services that may affect national security.
Impact: Chinese companies and government agencies have historically relied on computer hardware and software manufactured by foreign companies, although this is now shifting in favor of domestic IT products. Opportunities for hacking and espionage put China at risk of losing sensitive information to foreign governments or companies, and China has already started conducting reviews of the IT security products used by the central levels of government. This provision of the Cybersecurity Law demonstrates China’s resolve to mitigate this risk and may pose a significant barrier to foreign IT equipment manufacturers selling products in China.
How Directors Can Prepare
China’s Cybersecurity Law has been criticized by the foreign business community, and, depending on the law’s implementation, it may make doing business in China for MNCs not only more complex but also riskier. Tom Manning, a China specialist at the University of Chicago Law School and director of Dun & Bradstreet, CommScope, and Clear Media Limited, advises boards to consider the effect of the Cybersecurity Law in the greater context of China’s rise: “The Chinese economy is increasingly more self-sufficient. Domestic companies are growing stronger and are more capable, while multinational companies are finding it more difficult to compete.”
Manning suggests boards conduct an overall China risk assessment, with the Cybersecurity Law as the focal point. While some companies may determine the risk of doing business in China is too high, Manning says, others might decide they need to invest more in China to be profitable. Ultimately, creating alliances with domestic firms, who have a greater influence over the government’s implementation of the law, may be key. “Leading domestic companies have a stake in seeing a better definition of the law, and their interests aren’t unaligned with multinational companies,” Manning says. “Chinese Internet companies can explain to the government how the law will affect their business models and be more effective in doing so than Western companies.”
Although how the law will be enforced remains to be seen, boards can consider the following questions when evaluating the impact of China’s Cybersecurity Law:
Are we storing information generated or gathered in mainland China on servers in mainland China? Do we need to create separate IT systems for China-specific data? Are we reliant on cross-border data transfers, and how would we approach this need with the Chinese government?
What is our risk exposure stemming from the potential loss of intellectual property or encryption information as a result of this law? How would our business be affected should our Chinese competitors gain access to this information?
For computer hardware or software manufactures, are we willing to share our source code with the Chinese government?
For technology firms, how does the law alter the playing field for our company to compete in China against domestic firms?
What additional investments do we need to make in order to comply with this law?
Michael Uslan has been many things: a lawyer, a professor, an executive producer, and—most recently—a global media mogul; but he identifies most closely with the moniker that became the title of his 2011 memoir: The Boy Who Loved Batman. During an interview at the 2015 NACD Global Board Leaders’ Summit, Uslan reflected on his experience in media—ranging from Hollywood as a case study on how to think about competition to the danger of losing sight of the story to the rise of China as an indispensable partner in long-term strategic growth. In the process, he shared valuable insights that apply across industries.
A self-described “comic-book geek” even before he could read, by the time Uslan graduated from high school, he had amassed a collection of more than 30,000 issues. “They were stacked floor to ceiling in our garage,” he recalls. “My dad never could get a car in there.” While Uslan would read almost any superhero rag within reach, he developed an early and enduring love for the caped crusader. That love drove him, at age 28, to buy the rights to the Batman franchise. He was able to purchase them for a song, even as the president of DC Comics tried to talk Uslan out of the deal, telling him that Batman was “as dead as a dodo.” Uslan was undeterred. He believed in the potential of showing a darker, more human side of Batman, to say nothing of the revenue the franchise could generate in ancillary toy, comic book, video game, and other product sales.
Armed with what he saw as a self-evident blockbuster idea, Uslan made the rounds of the Hollywood studios. He was rejected at every turn. “I was told I was crazy. They told me it was the worst idea they had ever heard.” In fact, it took 10 years to get the first film, 1989’s Batman, greenlighted; but that break gave Uslan the chance to launch, almost single-handedly, a franchise that has achieved No. 1 box-office rankings and grossed billions of dollars worldwide.
Uslan’s experience is reminiscent of other cases in which visionary concepts were initially pooh-poohed by power brokers and industry leaders who couldn’t believe that customers would respond to something different from the status quo. Consider these two examples, cited by speakers at last year’s NACD annual meeting: John Backus, co-founder and managing partner for New Atlantic Ventures, described his company’s failure to foresee the transformative power of the World Wide Web: “I ran an Internet banking company. We were focused on the phone in the home. We missed the Internet. We missed the Internet because we had our blinders on.” Scott Kupor, managing director at Andreessen Horowitz, summed up how his company missed the boat on AirBnB: “When we first saw it, we thought, ‘This is crazy.’ We made the cardinal mistake in venture capital that I hope we never make again, which is we thought about [the proposal] in the context of our own frame of mind and what we thought was appropriate…. [W]e viewed it through the lens of our current biases.”
Digital Disruption Fuels the Rise of Techtainment
Hollywood is notoriously insular. A colleague who is both a corporate director and a veteran of the studio system once observed, “They have a model that locks others out, but the problem when you lock others out is that you lock yourself in.” Uslan noted that Hollywood is making fewer and fewer movies. As revenue models contract to a handful of familiar formulas, it becomes harder to make groundbreaking films like 1989’s Batman and the hits that followed it. None other than Steven Spielberg and George Lucas famously predicted the implosion of the U.S. film industry in a 2013 lecture at USC’s film school, citing as its principal cause the big studios’ collective fear of straying from the tried and true.
At the same time, Hollywood is facing increased competition from indie upstarts, much of it attributable to the studios themselves for underestimating the importance of mobile technology and innovative delivery systems for their products. The fate of distribution outlets like Blockbuster is already the stuff of b-school case-study legend, while major cable networks and big studios are fighting to stay relevant in a creative space that is now being rapidly colonized by newcomers like Amazon Studios, Netflix, and Hulu.
“It’s a new world,” Uslan observed, “and it’s changing so fast.… Netflix, Amazon, Google, Yahoo, Microsoft—these are the names that are becoming more and more prominent; as you look to the future, they may be the names that compete with or even supplant the names of the studios and networks we know today. Add to that rapid changes in technology [that enable filmmakers] to get their products directly to the individual consumers—whether they want to see it on a big screen, on their wristwatch, in their glasses, or maybe one day projected on the moon.”
Uslan also cautioned against becoming so enamored with a product that a company loses sight of its overarching value proposition. He cited both the decline in box-office revenues and in the target age of audience members, which has dipped to 25 years old. Couple that with the aforementioned fear of innovation, and Uslan sees a clear connection. “I always say there are 10 great rules to making a great movie,” he said: “No. 1, story; No. 2, story; 3, story; 4, story; 5, characters; 6, characters; 7, characters; 8, story; 9, story; 10, story. And as long as they remember that, we’re great. If instead they become enamored of these toys, these special effects, and just want to top the person who came before them, then you wind up with shoot-’em-up–blow-’em-ups that are unsatisfying to anyone over the age of 18.” Substitute the phrases “value proposition” and “corporate mission” for the words character and story in Uslan’s rules, and you have a prescient lesson for every company.
Beyond Borders: The New Hollywood
Discussion of disruption wasn’t limited to technology. Uslan’s message for the director audience: “China, China, and China.” The Asian continent is home to 1.5 billion new media consumers, and by 2018, China will surpass the U.S. as the largest film market in the world. When that happens, decision-making will move from Hollywood to Beijing and Shanghai, generating seismic aftershocks in the way that media is created and consumed. It comes as no surprise then that Uslan is looking to that region of the world for much of his future business. Last month he inked a large deal with one of China’s leading production companies, Huace, and just this week announced a deal with Huayi Brothers Media to launch a film and TV franchise based on the “Thunder Agents” comic book series. “The sleeping giant has awakened,” Uslan says of China and cautions that success in the region hinges on building both relationships and true cultural understanding.
“We have spent the past two years going to China, having a presence there, developing relationships, nurturing friendships, building trust—investing two years before we sat down to make deals—and that I think has been one of the most important aspects of what we’re doing and how we’re approaching it,” Uslan observed. “We are looking for true partners; we want full, 50/50 partnership; we want you sitting at the table with us; we want you engaged with us; and we want you to make us understand what is authentic to China, what is culturally sensitive to China, so that it’s not just our Westerner’s imposition,” he continued.
When asked about the Chinese consumer base, Uslan shared perhaps his biggest surprise to date—the success of a decidedly American superhero movie. “I have been absolutely amazed…. Consider this in the last year: the movie Captain America played well in China. Captain America! Dressed in a red, white, and blue American flag, solving everyone’s problems—culturally that was amazing to me and a real eye opener.… The Chinese are open to American culture and world culture, and we must be open to theirs as well,” he said. “That is the only way this is going to work.”
Uslan shared similar observations about working with Chinese executives. “What I love about the business culture in China is that it’s very close to ours,” he said, “I worked for a number of years in Japan, and I have to tell you that in all the meetings I had in Japan, there was never one situation where there was a female executive at any of the meetings I attended. In China, it’s probably 50 percent, and it’s a very comfortable feeling working with them; and they are open to learning and sharing on that level. Our relationship has been one truly built on friendship and, hopefully, trust going forward.”
Uslan summed up his observations with a challenge to the audience—stay curious, move outside your comfort zones, and be willing to re-imagine what’s possible: “Things are changing so fast now—if you don’t do that, the risk of your becoming irrelevant is very high.”
It is requisite to start every NACD session on boardroom oversight of cybersecurity with the adage: “There are two types of companies: those that know they have been hacked and those that don’t.” And so begins the one- to two-hour panel discussions—experts in cyber technology outlining and explaining the various methods that have already been employed to hack into companies. Understandably, attendees usually leave these sessions a bit pale and speechless.
Cyberattacks on the private sector are a reality, not merely a threat. In 2013, 50 percent of companies with more than 5,000 employees surveyed by the Ponemon Institute reported one or more phishing attacks, a figure that has nearly doubled since 2009. Further, it is those at the higher levels of organizations that are targeted in attacks. In a recent Verizon report on data breaches, it was reported that executives—with higher public profiles and access to secure information—top the list of employee categories targeted in phishing attacks.
Oversight of cybersecurity is at the intersection of national security and the private sector. In the most recent issue of NACD Directorship magazine, Jeff Cunningham, in “The Art of Cyber War,” details the evolution of the cyber battle currently ensuing between China and the United States. Under Chairman Mao, China was defended by the Red Guard. Today, however, the Red Guard has been replaced by “digital warriors,” expert in technology and the English language, working from residential areas of China. In a report representing the culmination of six years of research from Mandiant—an American security company—Chinese hackers have stolen technology blueprints, negotiating strategies, and manufacturing processes from more than 100, mostly American, companies.
At NACD’s Spring Forum this week, cybersecurity expert Richard A. Clarke summarized the current environment: “China does not want to fight the United States in a military war, they want an economic war. You have the Chinese government against your company.” During this session, however, Clarke and Karl Hopkins from SNR Denton went beyond the harsh realities of cyber risk to provide guidance that directors can use at their next board meeting.
Understand you are on your own. The government’s cyber defense budget is allocated toward the military and national security, not toward the private sector. It is up to each company to create a cyber defense strategy.
Define and protect the “crown jewels.” Companies can’t afford to defend every aspect of the organization. As such, it is wise to develop a minimalist strategy that foremost protects the sources of competitive advantage.
Don’t wait for the “big event.” Most frequently, companies are not crippled by one significant event, but instead a “death of one thousand cuts”—a slow creep of proprietary information.
Incorporate the general counsel. At most organizations, the role of the CIO is to keep the company running and costs down, and therefore the CIO may not be the best choice to be responsible for cyber risk management. At American Express, for example, the general counsel has a key role in cyber risk management.
Spend intelligently. You can spend the entire company’s budget on cyber defense and still not know if the company is truly secure. The company should develop a defense strategy first, and then purchase the necessary supporting technology.
Ask the right questions. At the next board meeting, directors should ask: “Have we been breached?” Then, “what forensics team have we brought in to look at these threats?” Most likely, directors will require outside expertise to aid in the understanding of cyber risks.
Technology risk oversight is an area that will require more dedicated effort in the future. As such, NACD will continue to raise the discussion with white papers at upcoming educational events and in our NACD Directorship 2020 initiative.