Here’s who has the ear of China’s most active cyber regulator
China's economy is projected to be the world's largest by 2028, and Beijing is betting heavily on the power of technology to get it there. But China needs to build and sustain public trust in tech platforms if it wants a future with smart cities that run on the cloud, wide adoption of digital currency and increasing reliance on electronic devices that collect vast amounts of personal data. So it's hastily assembling a regulatory framework, and the organization doing much of this building is the National Information Security Standardization Technical Committee (also known as Technical Committee 260 or TC260). Despite its wonky name, it wields extraordinary power over Chinese cyberspace; as of December, it has issued more than 300 standards related to information security and cybersecurity, and it has about 700 more in the works.
TC260 isn't an enforcement body, but its influence is visible throughout Chinese government. For example, in October 2020, it released an updated personal information security standard with recommended practices for data governance and security. About three weeks later, the government released a draft of its updated Personal Information Protection Law for public consultation, and two days after that China's National Computer Virus Emergency Response Center published a list of over 20 mobile applications in violation of existing personal information protection laws and urged users to be wary of downloading these apps. The list mostly includes Chinese apps, but also named Amazon, a sign that foreign companies operating in China could also be swept up in coming regulatory crackdowns.
Multinationals have to ensure their technologies align with standards to pass regulatory checks if they want to maintain their operations in China.
This is surely one reason why dozens of foreign companies sit on TC260's working groups, as do hundreds of Chinese ones; these companies nervously await each new release, and often task their lawyers or outside firms with quick guidance.
TC260 is also more transparent than a typical Chinese government entity. The identities of its 81 committee members and corporate participants in its working groups are all public, as are the names of the companies and individuals credited with input on each of TC260's regulations. Protocol has collected and analyzed all information released by TC260 to unpack which companies have the regulator's ear.
Chinese tech giants: Who's primus inter pares?
China's largest technology companies have a large footprint. Among 81 committee members, Baidu, Alibaba, Tencent and Huawei (the "BATH") are all represented, as are Lenovo, ZTE and JD. Committee membership on TC260 is valuable, as committee members get the final say on standards coming out of various working groups, and they can vote to send standards back to a working group for revision. The committee member from Huawei also wields influence as the team lead for the working group looking at communication security standards, meaning that they can impact that group's standard setting deliberations.
But even though all these large technology companies have representation on TC260's committee or one or more of TC260's working groups, not all of them play an active role in drafting TC260 standards and regulations. Instead, Huawei and Alibaba are preeminent among them. Both have their fingerprints on more than 20 released national standards.
China's big tech companies seem to have the greatest involvement in the Internet of Things. Of the 16 regulations that have been released or are currently in progress that relate to IoT, almost 50% of them have one or more BATH companies involved in drafting the regulation. As "smart" devices scale up into "smart" cities, IoT technology will play an even greater role in people's daily lives — from traffic congestion to water usage metrics — meaning that China's tech giants are helping to define standards that reach far beyond phone screens.
It's clearly an unequal bunch. Xiaomi and ByteDance sit on multiple working groups but are not credited with helping to draft a single standard or regulation. In fact, their peers may be using TC260 to undercut them. For example, a personal information security specification that formally went into effect in October 2020 requires users be given a clear opt-out mechanism from their news filter bubbles so they can view generic, rather than tailored, content. While the specification impacts all the big technology companies that work with data, this new addition seems like it could be targeted at ByteDance's Toutiao product, which has dominated the personalized news space due to its novel, algorithmic recommendation system that's juiced user engagement. Two contributors to that new regulation? Tencent and Alibaba, both ByteDance competitors. ByteDance itself is notably absent.
Huawei's prevalence in TC260 may give the company a greater say in the country's future technology infrastructure. Huawei has been involved with TC260 regulations and standards related to telecommunications, data security and cloud computing, which fundamentally impact many organizations that work with or transfer data. The telecommunications giant has also been involved with standards such as the "Framework of smart city security system" which sets foundational standards for China's smart city ambitions. Huawei's 5G technology is likely to form part of the key infrastructure for China's smart cities, as it enables faster and more reliable data transfers.
Meanwhile, many of the policies Alibaba and its subsidiaries, such as Taobao and Ant Financial, have helped draft generally involve safety standards and regulations for big data, cloud computing and cloud security. While Alibaba is currently involved in 40 of the projects in progress (about 6% of the total), it's unclear whether Ant's recent regulatory troubles could threaten its future involvement in certain regulations.
Enter the foreigners ... sort of
While the standards that TC260 sets are unlikely to have the global impact of Europe's GDPR — which has compelled American companies to change their cybersecurity practices and pushed tech giants like Twitter and Facebook to look beyond America's borders to identify important compliance hurdles — Chinese standards will immediately impact foreign companies operating in China. They may also indirectly shape the regulatory standards in regions where China has invested heavily, particularly Africa and South America, which have young populations and are ripe for technological and economic growth.
TC260's regulations may also help China further wall itself off from the international community. As China sets more stringent cybersecurity standards, many of which fail to align with international standards, companies may just choose to build operations around two incompatible systems — China's and the rest of the world.
TC260 started allowing foreign companies to join the ranks of its working groups in 2016. But unlike some big Chinese tech companies, the foreigners are mostly window dressing. Protocol took a deep dive into the composition of TC260's committee and working groups, as well as all of the regulations currently being researched, revised or already released by TC260. Foreign companies make up just 6% of the working group members for which data are available.
Foreign companies are most prevalent in three working groups: information security evaluation, information security management and big data security.
Qualcomm stands out as the only foreign member in every single one of the working groups that allows public participation. Other big players in the technology space such as Intel, IBM, Siemens, Dell, Oracle, Apple and even Google — many of whose services are blocked in China — are repeat members. Many of these companies are the same ones most likely to be hurt by tough cybersecurity regulations.
But as shown by China's big technology companies, representation in a working group doesn't equal influence. When we look at the standards and guidelines currently being researched, developed and revised by TC260, and who's credited for them, the involvement of foreign companies barely registers. Just four regulations have been released with acknowledged input from foreign companies. Foreign companies can contribute to TC260 regulations by submitting comments when TC260 solicits public suggestions, but it's unclear whether TC260 members give much consideration to external submissions.
Reading the tea leaves
TC260 currently has more than 700 projects "in progress." In many of these, TC260 is continuing work related to topics it has repeatedly emphasized, particularly security standards for cloud computing, passwords and verification, and trusted computing systems. To read the tea leaves of what TC260's new areas of focus might be for future standards and regulations, we looked at the terms and phrases that appear in the titles of projects in progress, but not in the titles of regulations that have already been released. This allows us to isolate new topics or technologies that future TC260 standards may cover. Here's what comes up:
Many new projects revolve around TC260 tracking its current standards, streamlining its complex maze of rules and evaluating its standards against international ones. Currently, only about 15% of the standards released by TC260 align with global standards, creating a tangle of regulations for multinational companies that operate in both China's market and external markets. It looks like TC260 is trying to solve for that by adjusting its own standards, as well as proposing some of its standards for international adoption by the ISO.
Some of the most prevalent new terms of note are "critical information infrastructure," "broadband," "metropolitan area network" and "malware," which suggest that TC260 is focusing its efforts on securing China's vast wireless network. As China's government shifts more critical functions to the digital sphere — from banking to education — the need to secure its digital space becomes increasingly pressing.
Some terms reflect new trends in China's tech space — "digital currency," "blockchain," "ecommerce system," "shopping" and "payments" — which all relate to China's digital economy and the country's efforts to develop a new digital currency backed by the central bank.
Other new terms of note are "finger veins," "gait" and "face," all of which relate to technologies for personal identification. These may be used for surveillance purposes, for which China is notorious, but they are also critical for fintech. After all, citizens may only be comfortable using a digital currency if highly accurate identification technologies can ensure that their money is securely tied to their identity.
Protocol | China's P3 Intelligence Platform tracks major Chinese standards and regulations with the power to affect your business. To learn more or have your company become a subscriber, click here.
This is the first in a series of Protocol | China analyses introducing our proprietary research methods. The methodologies above are also available for bespoke research.