National Security and China’s Information Security Standards

Of Shoes, Buttons, and Routers

As part of a concerted effort to promote indigenous innovation, Chinese policymakers crafted a set of information security standards entitled “Regulations on Classified Protection of Information Security.” These far-reaching regulations (often referred to in English as the Multi-Level Protection Scheme, or MLPS)—in theory aimed at protecting China’s national security—actually serve to protect a great swath of Chinese industry from international competition. While in some cases the national security claims may be valid, these regulations appear to overstep the standard definition of national security in World Trade Organization (WTO) law. Not only could these information security measures have far-reaching commercial consequences, but if parties are not careful, they may also result in a long-averted delineation of the national security exceptions in the General Agreement on Tariffs and Trade and other related WTO legal documents.

This report argues that China should steer clear of using the WTO’s national security exceptions to protect the information technology industry. China could take some immediate steps to reduce RCPIS Grade III coverage to just those entities that can legitimately be considered essential security concerns (or remove the domestic content mandate from Grade III), make policies more transparent, and ensure that assessment procedures are in line with international standards. If China is open to reasonable discussions with other countries on how they are dealing with similar matters, the national security exception should be able to be preserved and information security achieved in the least-trade-restrictive manner possible. While this report focuses on Chinese regulations, these issues have global dimensions. The nexus of information security and national security raises concerns that every country needs to address. Recent hearings in the United States relating to Chinese telecommunication providers Huawei and ZTE make evident the need to better delineate national security threats in a nondiscriminatory manner.

Nathaniel Ahrens