Is cyber fear hurting cross-border investment?

Cyber security is looming as one of the great challenges of the 21st century. Several governments around the world are responding by strengthening online security laws which in some cases are creating a degree of regulatory uncertainty - but, critically, running the risk of deterring cross-border investment.

In order to protect the health of a number of technology sectors and the economy more broadly it is vital for governments to ensure any national security reform does not unintentionally shut off more than just unwanted cyber activity.

"It is vital for governments to ensure any national security reform does not unintentionally shut off more than just unwanted cyber activity."
Cheng Lim and Michael Swinson, Partners at King & Wood Mallesons

Click image to zoom Tap image to zoom

Recent developments in the Asia Pacific have shown the impact of overly constrictive regulation. The introduction of new telco security laws in New Zealand prompted a Google-sponsored research project on software defined networks to relocate to Australia and the US.

The Australian government has some history of blocking foreign vendors from participating in projects of national significance because of potential security concerns, having barred Chinese giant Huawei from supplying equipment for the NBN in 2013.

Companies may be less willing to make this type of international investment in the region if faced with laws that could see them locked out of the market at the government's discretion.


In this regard China has less to lose than Australia as it is a much bigger market that simply cannot be overlooked by major international vendors and in any case has its own major domestic suppliers of network equipment like Huawei and ZTE.

By contrast Australia is a smaller market where network operators are already dependent on a relatively narrow range of major equipment suppliers. Any further narrowing of this pool may have a detrimental impact on competition and drive up prices.

Overly restrictive security laws may also deter local companies from spending scarce resources on technical innovation and the development of new services. In this context, it is interesting to compare the approaches different legislators are taking around the world to strengthen their security powers.


In July the Chinese government released a new draft laws for public comment. The signal was Beijing is preparing to tighten its control over the construction, operation, maintenance and use of the country's information networks.

Amongst other things, the law would require network operators in China to have cyber security protocols in place to protect against attacks, ensure IT products and services they use meet relevant national standards and take immediate action against any security flaws.

The law would also require information collected or generated by key information infrastructure facilities deemed critical by the government be stored exclusively within mainland China.

The draft law would apply to international as well as domestic businesses and so would directly affect foreign operators with a presence in China, as well as foreign vendors who may need their products to be certified by the Chinese government before sale in the country.

Still, it is difficult to predict the impact of the law as many of the critical definitions have been left somewhat vague. The term “network operator" is broadly defined in a way that would clearly cover telco and network service providers but could also extend to other information service providers such as search engines, social media sites and e-commerce platforms. It is also unclear what information may be deemed so critical it cannot be held offshore.


These developments in China coincide with a similarly broad and vague proposal by the Australian government to enhance its own national security powers in relation to telco infrastructure.

In June, Attorney-General George Brandis released an exposure draft of legislation imposing new duties on telco operators to protect their networks against security threats. It would also give the Attorney-General new powers to obtain information and require telcos to do (or refrain from doing) certain acts that may be prejudicial to national security.

The proposals prompted a swift critical response from industry, with many industry groups describing the draft legislation as regulatory over-reach that would give the government too much power to intrude into commercial matters and impose an unjustifiable new compliance burden on industry.

A key concern is the government could use its new powers to prohibit the use of equipment or services supplied by some vendors, which is no doubt a concern for some foreign suppliers given the past experiences of companies like Huawei.

It is unclear whether the recent change in government will alter the approach taken in Australia. The Attorney-General has engaged in a number of rounds of discussion with leading telco operators and may be pressured into moderating some of the broader powers posed in the draft legislation.

Taking into account the risks discussed above, in order not to discourage foreign investment, it is important for governments to ensure any reform does not come at the expense of regulatory certainty.

Cheng Lim and Michael Swinson are partners at King & Wood Mallesons.

The views and opinions expressed in this communication are those of the author and may not necessarily state or reflect those of ANZ.

editor's picks

02 Jul 2015

Humans are the weakest link in the digital war

Guy Boyd | Head of Financial Crime, ANZ

There is no doubt digital is the future and customers want the convenience and speed it provides – not just in banking but many services. But the convenience and revolution of digital comes with the risk of cybercrime. This will be a digital war and humans remain the weakest link – meaning training and education are critical.

16 Jun 2015

Six ways to help save your SME from cybercrime

Christine Linden | General Manager, Regional Business Banking, ANZ Australia

It's easy to think cybercrime and identity theft only happens to big business. It doesn't. With over two million small businesses in Australia, lifting awareness, improving education and taking real action to prevent these incidents is fundamental for the health of the sector.