The Chinese government may use a collection of 300 so-called "national cybersecurity standards" to deter or sabotage the efforts of foreign tech firms trying to enter the Chinese market.
These national cybersecurity standards are government-issued documents containing various cybersecurity-related recommendations for the design and operation of various products, such as routers, firewalls, or even software applications.
Some of these standards describe methods of providing the Chinese government with access to sensitive data belonging to Chinese citizens that's handled by a particular type of service or hardware product. Other stipulations provide a list of acceptable encryption algorithms, while other specify a product's desired cross-border data transfer and behavior.
These standards are drafted and issued by the Chinese National Information Security Standardization Technical Committee (TC260), a government agency that has issued roughly 300 standards since 2015.
The Chinese government currently says these standards are all only "recommended" as mere guidelines for product and service designs and bare no official status for the sale of products on the Chinese market.
But according to the Center for Strategic and International Studies (CSIS), a Washington-based think tank, in practice, many of these "recommended" standards may actually be required to do business in China.
"This is the case when standards are listed as procurement requirements for government or SOEs (state-owned enterprises)," CSIS experts explain.
Private Chinese companies may also not buy products from vendors who lack a certification associated with certain standards, as this may also render upstream products non-compliant.
This makes it harder for foreign firms to enter the market without having products that adhere to these standards.
"To comply with some standards, foreign firms may need to redesign products for the China market where they are not compatible with international standards," the CSIS writes in a report released at the start of the month.
In addition, these standards also imply granting the government access to sensitive data, as a condition for meeting the standard itself, which many foreign companies may view as damaging to their image, similar to the reputational damage Google has recently incurred after admitting it was developing a censored version of its search engine for the Chinese market.
Furthermore, the mere existence of these standards may be used by government officials as a basis for testing and certification, or even pressuring foreign companies into undergoing invasive product reviews where sensitive intellectual property and source code may be exposed, even if not explicitly required by the standard itself.
But CSIS experts also believe that these standards, although drafted on the premise of protecting China's national cybersecurity against foreign governments, terrorists, and cyber-criminal groups, may very well end up being used as foreign policy tools in an escalating tariffs war with the US.
The standards could be used to block access of US companies to China's market, and even if the tariff war would end, they'd still remain behind hindering non-Chinese firms trying to establish a foothold on what appears to be a friendly market at the political level.
The CSIS report comes in a period when Chinese-American tensions on the rise, including on the cyber front. A Pentagon report released yesterday warned that China was intensifying its efforts to narrow the gap with the US' cyber capabilities.
A Recorded Future report released this week also detailed a recent cyber-espionage campaign carried out by a known Chinese nation-state group, this time targeting the State of Alaska Government and Alaska’s Department of Natural Resources.